Creating custom decoders isn't too terribly difficult to do; and I bet you
could pay someone else if you wanted to farm that out (I'm thinking of the
companies that specialize in OSSEC you may already know of).
But doing it yourself probably wouldn't be as difficult as it sounds... and
once you get a feel for the regex implementation in OSSEC, you'll have this
done in an afternoon. It looks like you have three levels (INFO, WARN,
ERROR). Should be easy enough to create alerts on and all the rest...
On Friday, May 24, 2019 at 7:59:38 AM UTC-7, Nate wrote:
>
> Hi Everyone -
>
> Does anyone have a custom decoder for Atlassian products or can point me
> in the correct path to properly identify them?
>
> Here is a sample of what I am dealing with:
>
> Bamboo
> 019-05-23 12:56:11,870 WARN [scheduler_Worker-3] [RemoteAgentManagerImpl]
> Remote agent 'WINDOWSBUILD.domain.local' was unresponsive and has gone
> offline.
> 2019-05-23 12:56:11,870 INFO [scheduler_Worker-3] [AgentManagerImpl] No
> deployments running on agent WINDOWSBUILD.domain.local
> 2019-05-23 12:56:11,871 INFO [scheduler_Worker-3] [AgentManagerImpl] No
> builds running on agent WINDOWSBUILD.domain.local
> 2019-05-23 12:56:11,902 INFO
> [AtlassianEvent::0-BAM::EVENTS:pool-3-thread-3] [ChainExecutionManagerImpl]
> Plan C334-141: - feature-dual-club has finished
> 2019-05-23 12:56:11,812 WARN [scheduler_Worker-3] [RemoteAgentManagerImpl]
> Remote agent 'build-dev1.domain.local' was unresponsive and has gone
> offline.
>
>
> Confluence
> 2019-05-23 12:56:08,254 INFO [buildTailMessageListenerConnector-124]
> [FingerprintMatchingMessageListenerContainer] Successfully refreshed JMS
> Connection
> 2019-05-23 12:56:11,812 WARN [scheduler_Worker-3] [RemoteAgentManagerImpl]
> Detected that remote agent 'build1.domain.local' has been inactive since
> Thu May 23 12:45:50 EDT 2019
> 2019-05-23 12:56:11,812 WARN [scheduler_Worker-3] [RemoteAgentManagerImpl]
> Marking remote agent 'build1.domain.local' as unresponsive
> 2018-08-22 12:11:50,828 INFO [Caesium-1-1]
> [directory.ldap.cache.AbstractCacheRefresher]
> 2018-08-22 12:39:03,722 INFO [http-nio-8443-exec-24]
> [plugins.synchrony.service.SynchronyExternalChangesManager]
> performExternalChange Started external change for ContentId{id=37322926}
> 2019-05-02 16:30:00,315 ERROR [NotificationSender:thread-2]
> [plugin.notifications.dispatcher.NotificationErrorRegistryImpl] addError
> Error sending notification to server '<Unknown>'(-1) for INDIVIDUAL task
> (resent 0 times): Error sending to individual
> 'ff8080815bd4b40a015c7dcb00e80009' on server 'System Mail'
>
> Sample decoder output:
> 2019/05/24 09:19:49 ossec-testrule: INFO: Reading local decoder file.
> 2019/05/24 09:19:49 ossec-testrule: INFO: Started (pid: 18995).
> ossec-testrule: Type one log per line.
>
> 2019-05-23 12:56:11,812 WARN [scheduler_Worker-3] [RemoteAgentManagerImpl]
> Remote agent 'chasebuild-dev1.archergroup.local' was unresponsive and has
> gone offline.
>
>
> **Phase 1: Completed pre-decoding.
> full event: '2019-05-23 12:56:11,812 WARN [scheduler_Worker-3]
> [RemoteAgentManagerImpl] Remote agent 'chasebuild-dev1.archergroup.local'
> was unresponsive and has gone offline.'
> hostname: '*WARN*'
> program_name: '(null)'
> log: '[scheduler_Worker-3] [RemoteAgentManagerImpl] Remote agent
> 'build-dev1.domain.local' was unresponsive and has gone offline.'
>
> **Phase 2: Completed decoding.
> No decoder matched.
>
> The logs are interpreted as syslog and the status is being pulled into the
> hostname and the only log data I can work with for Phase 2 is the *log:*
> section
> correct? So I'll never be able to get the status of the log?
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/5963c13f-d2cc-4899-b717-b1360e75fa53%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
