This is a bit rough. I've tested it to make sure it doesn't hurt anything else, but my tests aren't exhaustive. Also, it's tough with only 1 log sample to make sure I've got everything. And last but not least, I didn't look at the other web decoders to make sure the items I placed in <order> match up to what they use. But here's a decoder:
<decoder name="ssl-cert"> <prematch>^"\.+" "\S+" \S+ - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d \S+] </prematch> <regex>^"(\.+)" "(\S+)" (\S+) - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d \p\d+] "(\S+) (\.+) HTTP/\d.\d" (\d+) \d+ "\.+" "(\.+)</regex> <order>srcuser,id,srcip,action,url,status,extra_data</order> </decoder> Here's what it looks like going through logtest: # /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf 2010/10/21 10:01:02 ossec-testrule: INFO: Reading local decoder file. 2010/10/21 10:01:02 ossec-testrule: INFO: Started (pid: 23246). ossec-testrule: Type one log per line. "Vitor Correia" "PT" 89.155.91.201 - - [21/Oct/2010:01:48:13 +0100] "GET /collect/main/ HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11" **Phase 1: Completed pre-decoding. full event: '"Vitor Correia" "PT" 89.155.91.201 - - [21/Oct/2010:01:48:13 +0100] "GET /collect/main/ HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11"' hostname: 'ix' program_name: '(null)' log: '"Vitor Correia" "PT" 89.155.91.201 - - [21/Oct/2010:01:48:13 +0100] "GET /collect/main/ HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11"' **Phase 2: Completed decoding. decoder: 'ssl-cert' srcuser: 'Vitor Correia' id: 'PT' srcip: '89.155.91.201' action: 'GET' url: '/collect/main/' status: '200' extra_data: 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11"' To write a rule you'd use something like: <rule id="NUMBER" level="NUMBER"> <id>PT</id> <description>something</description> </rule> I'd run a bunch of logs through ossec-logtest to make sure it works on all of them and not just the one you posted. But this should be enough to get you started. If it doesn't work for another log, feel free to post back with that log. I can help tune it if you need it. Also, a little self promotion: http://ddpbsd.blogspot.com/2010/10/ossec-decoders-101.html That blog post describes writing decoders bit by bit using ossec-logtest to test it out. HTH! dan On Wed, Oct 20, 2010 at 8:56 PM, vcorreia <vhcorr...@gmail.com> wrote: > Hello everyone, > > How can I go about writing a decoder/rule to send me an email every > time a log entry like this is registered? > > "Vitor Correia" "PT" 89.155.91.201 - - [21/Oct/2010:01:48:13 +0100] > "GET /collect/main/ HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows; U; > Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11" > > I'm interested in catching the bit which says "PT", that will be the > bit that will always appear. > > > Thanks in advance. > > > Vitor Correia