This is a bit rough. I've tested it to make sure it doesn't hurt
anything else, but my tests aren't exhaustive. Also, it's tough with
only 1 log sample to make sure I've got everything. And last but not
least, I didn't look at the other web decoders to make sure the items
I placed in <order> match up to what they use. But here's a decoder:
<decoder name="ssl-cert">
<prematch>^"\.+" "\S+" \S+ - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d \S+]
</prematch>
<regex>^"(\.+)" "(\S+)" (\S+) - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d
\p\d+] "(\S+) (\.+) HTTP/\d.\d" (\d+) \d+ "\.+" "(\.+)</regex>
<order>srcuser,id,srcip,action,url,status,extra_data</order>
</decoder>
Here's what it looks like going through logtest:
# /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf
2010/10/21 10:01:02 ossec-testrule: INFO: Reading local decoder file.
2010/10/21 10:01:02 ossec-testrule: INFO: Started (pid: 23246).
ossec-testrule: Type one log per line.
"Vitor Correia" "PT" 89.155.91.201 - - [21/Oct/2010:01:48:13 +0100]
"GET /collect/main/ HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows; U;
Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11"
**Phase 1: Completed pre-decoding.
full event: '"Vitor Correia" "PT" 89.155.91.201 - -
[21/Oct/2010:01:48:13 +0100] "GET /collect/main/ HTTP/1.1" 200 2970
"-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11)
Gecko/20101012 Firefox/3.6.11"'
hostname: 'ix'
program_name: '(null)'
log: '"Vitor Correia" "PT" 89.155.91.201 - -
[21/Oct/2010:01:48:13 +0100] "GET /collect/main/ HTTP/1.1" 200 2970
"-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11)
Gecko/20101012 Firefox/3.6.11"'
**Phase 2: Completed decoding.
decoder: 'ssl-cert'
srcuser: 'Vitor Correia'
id: 'PT'
srcip: '89.155.91.201'
action: 'GET'
url: '/collect/main/'
status: '200'
extra_data: 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US;
rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11"'
To write a rule you'd use something like:
<rule id="NUMBER" level="NUMBER">
<id>PT</id>
<description>something</description>
</rule>
I'd run a bunch of logs through ossec-logtest to make sure it works on
all of them and not just the one you posted. But this should be enough
to get you started. If it doesn't work for another log, feel free to
post back with that log. I can help tune it if you need it.
Also, a little self promotion:
http://ddpbsd.blogspot.com/2010/10/ossec-decoders-101.html That blog
post describes writing decoders bit by bit using ossec-logtest to test
it out.
HTH!
dan
On Wed, Oct 20, 2010 at 8:56 PM, vcorreia <vhcorr...@gmail.com> wrote:
> Hello everyone,
>
> How can I go about writing a decoder/rule to send me an email every
> time a log entry like this is registered?
>
> "Vitor Correia" "PT" 89.155.91.201 - - [21/Oct/2010:01:48:13 +0100]
> "GET /collect/main/ HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows; U;
> Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11"
>
> I'm interested in catching the bit which says "PT", that will be the
> bit that will always appear.
>
>
> Thanks in advance.
>
>
> Vitor Correia
