From bf0c98976d4997e2f8c491b9acd292e3db45f3b7 Mon Sep 17 00:00:00 2001
From: Alexandr Garaga <agaraga@cloudlinux.com>
Date: Fri, 27 Jan 2017 18:13:50 +0700
Subject: [PATCH 1/4] Add cpanel decoders and rules.

---
 etc/decoder.xml            | 64 +++++++++++++++++++++++++++++++
 etc/ossec-server.conf      | 17 +++++++++
 etc/rules/cpanel_rules.xml | 78 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 159 insertions(+)
 create mode 100644 etc/rules/cpanel_rules.xml

diff --git a/etc/decoder.xml b/etc/decoder.xml
index 569858346..be0a17fca 100755
--- a/etc/decoder.xml
+++ b/etc/decoder.xml
@@ -2896,4 +2896,68 @@ Jul 26 13:57:56 mx1.example.org outbound/smtp: 127.0.0.1 1406297159-06f4a35b4df2
   <order>srcip,url</order>
 </decoder>
 
+
+<!-- cPanel decoder.
+  - Examples:
+  - [2016-11-18 09:32:19 +0000] info [cpsrvd] 10.1.5.19 - admin "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password hash is missing from system (user probably does not exist)
+  - [2016-04-18 13:07:02 +0400] info [cpsrvd] 10.1.5.19 - root - SUCCESS LOGIN whostmgrd
+-->
+<decoder name="cpanel-login">
+  <prematch>^[\S+ \S+ \S+] info [cpsrvd] \S+ -</prematch>
+  <regex>info [cpsrvd] (\S+) - (\S+)</regex>
+  <order>srcip,user</order>
+</decoder>
+
+<!-- cPanel decoder.
+     Because of default postgresql decoder overwrites cpanel-login-log rule in case time offset with minus (-0500). This rule is necessary to cover all cases of logs
+  - Examples:
+  - [2016-11-21 04:14:58 -0500] info [cpsrvd] 10.1.5.19 - admin "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password hash is missing from system (user probably does not exist)
+  - [2017-01-25 03:16:27 -0500] info [cpsrvd] 10.1.5.19 - root "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
+  - [2017-01-25 05:37:47 -0500] info [cpsrvd] 10.1.5.19 - root "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: root login is not permitted to cpaneld
+  - [2017-01-25 06:01:10 -0500] info [cpsrvd] 10.1.5.19 - test "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user test (loadcpdata failed)
+  - [2017-01-25 06:08:58 -0500] info [cpsrvd] 10.1.5.19 - test@domain.com "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: login attempt to whm by a non-reseller/root
+  - [2016-04-18 13:07:02 -0400] info [cpsrvd] 10.1.5.19 - root - SUCCESS LOGIN whostmgrd
+  - [2016-04-18 13:07:13 -0400] info [cpsrvd] 10.1.5.19 - root - SUCCESS LOGIN cpaneld
+  - [2016-04-18 13:07:15 -0400] info [cpsrvd] 10.1.5.19 - reseller (possessor: root) - SUCCESS LOGIN cpaneld
+  - [2016-04-18 13:08:24 -0400] info [cpsrvd] 10.1.5.19 - reseller - SUCCESS LOGIN webmaild
+  - [2016-04-18 13:08:27 -0400] info [cpsrvd] 10.1.5.19 - emailaccount@reseller.com (possessor: reseller) - SUCCESS LOGIN webmaild
+-->
+
+<decoder name="cpanel-login2">
+  <parent>postgresql_log</parent>
+  <prematch offset="after_parent">^info [cpsrvd] \S+ -</prematch>
+  <regex>info [cpsrvd] (\S+) - (\S+)</regex>
+  <order>srcip,user</order>
+</decoder>
+
+<!-- cPanel decoder.
+  - Examples:
+  - 10.1.5.19 - paul [11/18/2016:09:35:43 -0000] "GET" FAILED LOGIN cpdavd: Could not fetch system home directory for paul
+-->
+
+<decoder name="cpanel-access-failed">
+  <parent>web-accesslog</parent>
+  <prematch offset="after_parent">FAILED LOGIN</prematch>
+  <regex>^(\S+) \S+ (\S+)</regex>
+  <order>srcip,user</order>
+</decoder>
+
+<!-- cPanel decoder.
+  - Examples:
+  - [2017-01-25 06:15:38 -0500] info [cpsrvd] 10.1.5.19 PURGE root:Nmm4xzhSpA2Sddv3 logout
+  - [2017-01-25 06:15:38 +0000] info [cpsrvd] 10.1.5.19 PURGE root:Nmm4xzhSpA2Sddv3 logout
+-->
+<decoder name="cpanel-session">
+  <prematch>^[\S+ \S+ \S+] info [cpsrvd] \S+ PURGE</prematch>
+  <regex>info [cpsrvd] (\S+) \S+ (\w+):</regex>
+  <order>srcip,user</order>
+</decoder>
+
+<decoder name="cpanel-session2">
+  <parent>postgresql_log</parent>
+  <prematch offset="after_parent">^info [cpsrvd] \S+ PURGE</prematch>
+  <regex>info [cpsrvd] (\S+) \S+ (\w+):</regex>
+  <order>srcip,user</order>
+</decoder>
+
 <!-- EOF -->
diff --git a/etc/ossec-server.conf b/etc/ossec-server.conf
index dbee6687a..6bea92f33 100755
--- a/etc/ossec-server.conf
+++ b/etc/ossec-server.conf
@@ -72,6 +72,7 @@
     <include>sysmon_rules.xml</include>
     <include>opensmtpd_rules.xml</include>
     <include>local_rules.xml</include>
+    <include>cpanel_rules.xml</include>
   </rules>
 
 
@@ -201,4 +202,20 @@
     <log_format>apache</log_format>
     <location>/var/www/logs/error_log</location>
   </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/usr/local/cpanel/logs/login_log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/usr/local/cpanel/logs/access_log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/usr/local/cpanel/logs/session_log</location>
+  </localfile>
+
 </ossec_config>
diff --git a/etc/rules/cpanel_rules.xml b/etc/rules/cpanel_rules.xml
new file mode 100644
index 000000000..160d6176d
--- /dev/null
+++ b/etc/rules/cpanel_rules.xml
@@ -0,0 +1,78 @@
+<!-- Authors: Alexandr Garaga, Paul Klymenko
+-
+-  This program is a free software; you can redistribute it
+-  and/or modify it under the terms of the GNU General Public
+-  License (version 2) as published by the FSF - Free Software
+-  Foundation.
+-
+-  License details: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
+-->
+
+<!-- cPanel messages -->
+<group name="syslog,">
+
+<!-- Two same rules but with different decoders because logs have different format -->
+  <rule id="11000" level="5">
+    <if_sid>2501</if_sid>
+    <decoded_as>cpanel-login</decoded_as>
+    <regex>FAILED LOGIN</regex>
+    <description>Possible attack on the cpanel services</description>
+  </rule>
+
+  <rule id="11001" level="5">
+    <if_sid>50500</if_sid>
+    <decoded_as>postgresql_log</decoded_as>
+    <regex>FAILED LOGIN</regex>
+    <description>Possible attack on the cpanel services</description>
+  </rule>
+
+  <rule id="11002" level="5">
+    <if_sid>2501</if_sid>
+    <decoded_as>web-accesslog</decoded_as>
+    <regex>FAILED LOGIN</regex>
+    <description>Possible attack on the cpanel services</description>
+  </rule>
+
+<!-- We raise level to send alert considering frequency (6 see doc why) and timeframe (6 minutes) -->
+  <rule id="11003" level="10" frequency="4" timeframe="360">
+    <if_matched_sid>11001</if_matched_sid>
+    <description>Possible breakin attempt</description>
+  </rule>
+
+  <rule id="11004" level="10" frequency="4" timeframe="360">
+    <if_matched_sid>11000</if_matched_sid>
+    <description>Possible breakin attempt</description>
+  </rule>
+
+  <rule id="11005" level="10" frequency="4" timeframe="360">
+    <if_matched_sid>11002</if_matched_sid>
+    <description>Possible breakin attempt</description>
+  </rule>
+
+  <rule id="11006" level="3">
+    <decoded_as>cpanel-login</decoded_as>
+    <match>SUCCESS LOGIN</match>
+    <description>Cpanel login success</description>
+  </rule>
+
+  <rule id="11007" level="3">
+    <if_sid>50500</if_sid>
+    <decoded_as>postgresql_log</decoded_as>
+    <match>SUCCESS LOGIN</match>
+    <description>Cpanel login success</description>
+  </rule>
+
+  <rule id="11008" level="3">
+    <decoded_as>cpanel-session</decoded_as>
+    <match>PURGE</match>
+    <description>Cpanel session purge</description>
+  </rule>
+
+  <rule id="11009" level="3">
+    <if_sid>50500</if_sid>
+    <decoded_as>postgresql_log</decoded_as>
+    <match>PURGE</match>
+    <description>Cpanel session purge</description>
+  </rule>
+
+  </group> <!-- SYSLOG -->

From 8d6a66bb8f290baf747e0fb3a52c7809458c1044 Mon Sep 17 00:00:00 2001
From: Alexandr Garaga <agaraga@cloudlinux.com>
Date: Mon, 30 Jan 2017 16:55:50 +0700
Subject: [PATCH 2/4] Fix broken cpanel-access-failed decoder failing tests

---
 etc/decoder.xml            | 3 +--
 etc/rules/cpanel_rules.xml | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/etc/decoder.xml b/etc/decoder.xml
index be0a17fca..f7e59b22b 100755
--- a/etc/decoder.xml
+++ b/etc/decoder.xml
@@ -2936,8 +2936,7 @@ Jul 26 13:57:56 mx1.example.org outbound/smtp: 127.0.0.1 1406297159-06f4a35b4df2
 -->
 
 <decoder name="cpanel-access-failed">
-  <parent>web-accesslog</parent>
-  <prematch offset="after_parent">FAILED LOGIN</prematch>
+  <prematch>^\S+ \S+ \S+ [\d\d/\d\d/\d\d\d\d:\d\d:\d\d:\d\d \S*\d+] "\S+" FAILED LOGIN</prematch>
   <regex>^(\S+) \S+ (\S+)</regex>
   <order>srcip,user</order>
 </decoder>
diff --git a/etc/rules/cpanel_rules.xml b/etc/rules/cpanel_rules.xml
index 160d6176d..28ed5b1ae 100644
--- a/etc/rules/cpanel_rules.xml
+++ b/etc/rules/cpanel_rules.xml
@@ -28,7 +28,7 @@
 
   <rule id="11002" level="5">
     <if_sid>2501</if_sid>
-    <decoded_as>web-accesslog</decoded_as>
+    <decoded_as>cpanel-access-failed</decoded_as>
     <regex>FAILED LOGIN</regex>
     <description>Possible attack on the cpanel services</description>
   </rule>

From fc5939deee2711e8e2000f85205209283572f510 Mon Sep 17 00:00:00 2001
From: Alexandr Garaga <agaraga@cloudlinux.com>
Date: Mon, 30 Jan 2017 17:11:42 +0700
Subject: [PATCH 3/4] Add support for cpanel rules to other setup types: agent,
 local, hybrid.

---
 etc/ossec-agent.conf | 16 ++++++++++++++++
 etc/ossec-local.conf | 17 +++++++++++++++++
 etc/ossec.conf       | 19 ++++++++++++++++++-
 3 files changed, 51 insertions(+), 1 deletion(-)

diff --git a/etc/ossec-agent.conf b/etc/ossec-agent.conf
index 662a38229..f7bfe715b 100755
--- a/etc/ossec-agent.conf
+++ b/etc/ossec-agent.conf
@@ -65,4 +65,20 @@
     <log_format>apache</log_format>
     <location>/var/www/logs/error_log</location>
   </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/usr/local/cpanel/logs/login_log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/usr/local/cpanel/logs/access_log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/usr/local/cpanel/logs/session_log</location>
+  </localfile>
+    
 </ossec_config>
diff --git a/etc/ossec-local.conf b/etc/ossec-local.conf
index 2864e7590..f8f2f21c0 100755
--- a/etc/ossec-local.conf
+++ b/etc/ossec-local.conf
@@ -74,6 +74,7 @@
     <include>sysmon_rules.xml</include>
     <include>opensmtpd_rules.xml</include>
     <include>local_rules.xml</include>
+    <include>cpanel_rules.xml</include>
   </rules>
 
   <syscheck>
@@ -197,4 +198,20 @@
     <log_format>apache</log_format>
     <location>/var/www/logs/error_log</location>
   </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/usr/local/cpanel/logs/login_log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/usr/local/cpanel/logs/access_log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/usr/local/cpanel/logs/session_log</location>
+  </localfile>
+    
 </ossec_config>
diff --git a/etc/ossec.conf b/etc/ossec.conf
index e65c97d43..226da1421 100755
--- a/etc/ossec.conf
+++ b/etc/ossec.conf
@@ -32,7 +32,8 @@
     <include>dropbear_rules.xml</include>
     <include>sysmon_rules.xml</include>
     <include>opensmtpd_rules.xml</include>
-  </rules>  
+    <include>cpanel_rules.xml</include>
+  </rules>
 
   <syscheck>
     <!-- Frequency that syscheck is executed -- default every 2 hours -->
@@ -160,4 +161,20 @@
     <log_format>apache</log_format>
     <location>/var/www/logs/error_log</location>
   </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/usr/local/cpanel/logs/login_log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/usr/local/cpanel/logs/access_log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/usr/local/cpanel/logs/session_log</location>
+  </localfile>
+    
 </ossec_config>

From fbf75a82cbd0b01d47e19d32501b7ec302355a2c Mon Sep 17 00:00:00 2001
From: Alexandr Garaga <agaraga@cloudlinux.com>
Date: Fri, 3 Feb 2017 16:23:40 +0700
Subject: [PATCH 4/4] Fix cpanel rules and decoders.

This fix should detect successful logins from cpanel session_log instead of login_log and thus work on older versions of cpanel. In addition, the logout decoders and rules are made more specific since there are other 'PURGE' events in cpanel session_log with a different format and semantics than logout events.
---
 etc/decoder.xml            | 65 +++++++++++++++++++++++---------------
 etc/rules/cpanel_rules.xml | 18 +++++------
 2 files changed, 49 insertions(+), 34 deletions(-)

diff --git a/etc/decoder.xml b/etc/decoder.xml
index 94591968d..366698457 100755
--- a/etc/decoder.xml
+++ b/etc/decoder.xml
@@ -2942,15 +2942,15 @@ Jul 26 13:57:56 mx1.example.org outbound/smtp: 127.0.0.1 1406297159-06f4a35b4df2
   <prematch offset="after_parent">^SMTP call from </prematch>
   <regex offset="after_prematch">[(\S+)]:\d+ dropped: too many syntax or protocol errors</regex>
   <order>srcip</order>
+</decoder>
 
 
 <!-- cPanel decoder.
   - Examples:
-  - [2016-11-18 09:32:19 +0000] info [cpsrvd] 10.1.5.19 - admin "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password hash is missing from system (user probably does not exist)
-  - [2016-04-18 13:07:02 +0400] info [cpsrvd] 10.1.5.19 - root - SUCCESS LOGIN whostmgrd
+  - [2016-11-18 09:32:19 +0000] info [cpsrvd] 46.118.10.79 - admin "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password hash is missing from system (user probably does not exist)
 -->
-<decoder name="cpanel-login">
-  <prematch>^[\S+ \S+ \S+] info [cpsrvd] \S+ -</prematch>
+<decoder name="cpanel-login-failed">
+  <prematch>^[\S+ \S+ \S+] info [cpsrvd] \.+FAILED LOGIN</prematch>
   <regex>info [cpsrvd] (\S+) - (\S+)</regex>
   <order>srcip,user</order>
 </decoder>
@@ -2958,50 +2958,65 @@ Jul 26 13:57:56 mx1.example.org outbound/smtp: 127.0.0.1 1406297159-06f4a35b4df2
 <!-- cPanel decoder.
      Because of default postgresql decoder overwrites cpanel-login-log rule in case time offset with minus (-0500). This rule is necessary to cover all cases of logs
   - Examples:
-  - [2016-11-21 04:14:58 -0500] info [cpsrvd] 10.1.5.19 - admin "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password hash is missing from system (user probably does not exist)
-  - [2017-01-25 03:16:27 -0500] info [cpsrvd] 10.1.5.19 - root "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
-  - [2017-01-25 05:37:47 -0500] info [cpsrvd] 10.1.5.19 - root "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: root login is not permitted to cpaneld
-  - [2017-01-25 06:01:10 -0500] info [cpsrvd] 10.1.5.19 - test "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user test (loadcpdata failed)
-  - [2017-01-25 06:08:58 -0500] info [cpsrvd] 10.1.5.19 - test@domain.com "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: login attempt to whm by a non-reseller/root
-  - [2016-04-18 13:07:02 -0400] info [cpsrvd] 10.1.5.19 - root - SUCCESS LOGIN whostmgrd
-  - [2016-04-18 13:07:13 -0400] info [cpsrvd] 10.1.5.19 - root - SUCCESS LOGIN cpaneld
-  - [2016-04-18 13:07:15 -0400] info [cpsrvd] 10.1.5.19 - reseller (possessor: root) - SUCCESS LOGIN cpaneld
-  - [2016-04-18 13:08:24 -0400] info [cpsrvd] 10.1.5.19 - reseller - SUCCESS LOGIN webmaild
-  - [2016-04-18 13:08:27 -0400] info [cpsrvd] 10.1.5.19 - emailaccount@reseller.com (possessor: reseller) - SUCCESS LOGIN webmaild
+  - [2016-11-21 04:14:58 -0500] info [cpsrvd] 37.130.227.133 - admin "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password hash is missing from system (user probably does not exist)
+  - [2017-01-25 03:16:27 -0500] info [cpsrvd] 10.101.1.14 - root "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
+  - [2017-01-25 05:37:47 -0500] info [cpsrvd] 172.20.93.26 - root "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: root login is not permitted to cpaneld
+  - [2017-01-25 06:01:10 -0500] info [cpsrvd] 172.20.93.26 - test "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user test (loadcpdata failed)
+  - [2017-01-25 06:08:58 -0500] info [cpsrvd] 172.20.93.26 - test@domain.com "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: login attempt to whm by a non-reseller/root
 -->
 
-<decoder name="cpanel-login2">
+<decoder name="cpanel-login-failed2">
   <parent>postgresql_log</parent>
-  <prematch offset="after_parent">^info [cpsrvd] \S+ -</prematch>
+  <prematch offset="after_parent">^info [cpsrvd] \.+FAILED LOGIN</prematch>
   <regex>info [cpsrvd] (\S+) - (\S+)</regex>
   <order>srcip,user</order>
 </decoder>
 
 <!-- cPanel decoder.
   - Examples:
-  - 10.1.5.19 - paul [11/18/2016:09:35:43 -0000] "GET" FAILED LOGIN cpdavd: Could not fetch system home directory for paul
+  - 46.118.10.79 - paul [11/18/2016:09:35:43 -0000] "GET" FAILED LOGIN cpdavd: Could not fetch system home directory for paul
 -->
 
 <decoder name="cpanel-access-failed">
-  <prematch>^\S+ \S+ \S+ [\d\d/\d\d/\d\d\d\d:\d\d:\d\d:\d\d \S*\d+] "\S+" FAILED LOGIN</prematch>
+  <parent>web-accesslog</parent>
+  <prematch offset="after_parent">FAILED LOGIN</prematch>
   <regex>^(\S+) \S+ (\S+)</regex>
-  <order>srcip,user</order>  
+  <order>srcip,user</order>
+</decoder>
+
+
+<!-- cPanel decoder.
+  - Examples:
+  - [2017-02-03 01:21:31 +0500] info [cpsrvd] 10.101.1.18 NEW testuser:XImQi9d3anWMNSc9 address=10.101.1.18,app=cpaneld,creator=pupkin,method=handle_form_login,path=form,possessed=0
+  - [2017-02-03 01:21:31 -0500] info [cpsrvd] 10.101.1.18 NEW testuser:XImQi9d3anWMNSc9 address=10.101.1.18,app=cpaneld,creator=pupkin,method=handle_form_login,path=form,possessed=0
+-->
+<decoder name="cpanel-login-success">
+  <prematch>^[\S+ \S+ \S+] info [cpsrvd] \S+ NEW</prematch>
+  <regex>info [cpsrvd] (\S+) \S+ (\w+):</regex>
+  <order>srcip,user</order>
+</decoder>
+
+<decoder name="cpanel-login-success2">
+  <parent>postgresql_log</parent>
+  <prematch offset="after_parent">^info [cpsrvd] \S+ NEW</prematch>
+  <regex>info [cpsrvd] (\S+) \S+ (\w+):</regex>
+  <order>srcip,user</order>
 </decoder>
 
 <!-- cPanel decoder.
   - Examples:
-  - [2017-01-25 06:15:38 -0500] info [cpsrvd] 10.1.5.19 PURGE root:Nmm4xzhSpA2Sddv3 logout
-  - [2017-01-25 06:15:38 +0000] info [cpsrvd] 10.1.5.19 PURGE root:Nmm4xzhSpA2Sddv3 logout
+  - [2017-01-25 06:15:38 -0500] info [cpsrvd] 172.20.93.26 PURGE root:Nmm4xzhSpA2Sddv3 logout
+  - [2017-01-25 06:15:38 +0000] info [cpsrvd] 172.20.93.26 PURGE root:Nmm4xzhSpA2Sddv3 logout
 -->
-<decoder name="cpanel-session">
-  <prematch>^[\S+ \S+ \S+] info [cpsrvd] \S+ PURGE</prematch>
+<decoder name="cpanel-session-logout">
+  <prematch>^[\S+ \S+ \S+] info [cpsrvd] \S+ PURGE \S+ logout$</prematch>
   <regex>info [cpsrvd] (\S+) \S+ (\w+):</regex>
   <order>srcip,user</order>
 </decoder>
 
-<decoder name="cpanel-session2">
+<decoder name="cpanel-session-logout2">
   <parent>postgresql_log</parent>
-  <prematch offset="after_parent">^info [cpsrvd] \S+ PURGE</prematch>
+  <prematch offset="after_parent">^info [cpsrvd] \S+ PURGE \S+ logout$</prematch>
   <regex>info [cpsrvd] (\S+) \S+ (\w+):</regex>
   <order>srcip,user</order>
 </decoder>
diff --git a/etc/rules/cpanel_rules.xml b/etc/rules/cpanel_rules.xml
index 28ed5b1ae..5dca9ee01 100644
--- a/etc/rules/cpanel_rules.xml
+++ b/etc/rules/cpanel_rules.xml
@@ -14,7 +14,7 @@
 <!-- Two same rules but with different decoders because logs have different format -->
   <rule id="11000" level="5">
     <if_sid>2501</if_sid>
-    <decoded_as>cpanel-login</decoded_as>
+    <decoded_as>cpanel-login-failed</decoded_as>
     <regex>FAILED LOGIN</regex>
     <description>Possible attack on the cpanel services</description>
   </rule>
@@ -50,29 +50,29 @@
   </rule>
 
   <rule id="11006" level="3">
-    <decoded_as>cpanel-login</decoded_as>
-    <match>SUCCESS LOGIN</match>
+    <decoded_as>cpanel-login-success</decoded_as>
+    <match>NEW</match>
     <description>Cpanel login success</description>
   </rule>
 
   <rule id="11007" level="3">
     <if_sid>50500</if_sid>
     <decoded_as>postgresql_log</decoded_as>
-    <match>SUCCESS LOGIN</match>
+    <match>NEW</match>
     <description>Cpanel login success</description>
   </rule>
 
   <rule id="11008" level="3">
-    <decoded_as>cpanel-session</decoded_as>
-    <match>PURGE</match>
-    <description>Cpanel session purge</description>
+    <decoded_as>cpanel-session-logout</decoded_as>
+    <regex>PURGE \S+ logout</regex>
+    <description>Cpanel session logout</description>
   </rule>
 
   <rule id="11009" level="3">
     <if_sid>50500</if_sid>
     <decoded_as>postgresql_log</decoded_as>
-    <match>PURGE</match>
-    <description>Cpanel session purge</description>
+    <regex>PURGE \S+ logout</regex>
+    <description>Cpanel session logout</description>
   </rule>
 
   </group> <!-- SYSLOG -->