-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Daniel Cid wrote: > > If your mysql or postgresql logs are just normal syslog files (or have 1 > line > per event), you can just use the "syslog" log format. The "apache", "iis", > "snort-fast" and "squid" formats are just aliases to this one. The only > ones that make a difference are the "snort-full" (4 lines per event) and > the nmapg (which parses the nmap format). These names are not defined > in the xml, since they need to map to a specific "plugin" to read the logs. > If you look at src/logcollector, you will see these three files: > > read_nmapg.c > read_snortfull.c > read_syslog.c > > The read_syslog.c basically reads any syslog (or 1 line per event) log. > So if > you want to monitor a binary format or a file with multiple lines per > alert, > you would need to write a new plugin and map a specific log_format to > it... Hope I was able to explain it well.. > > *log_formats are just related to how the logs are going to be extracted. > The names in there have no relation to the ones in the decoders and/or > rules. >
So, if I wanted to monitor a log that *was* a 1 line entry, but is not a standard log, would I need to create a decoder for it in decoder.xml? For example, I have a Windows system that is syslogging Voltage/Fan/CPU usage data to a central syslog server (which also happens to be my ossec server). Given a line similar to this: Aug 21 21:38:07 192.168.0.100 MBM[Fan 1]: C=2500 LA=1500 HA=99999 L=2463 H=2518 A=2499 Would I need to create a decoder to capture the c=nnnn field? Then, I would be able to create rules based off of that decoder? Obviously, I'm trying to understand how the hierarchy works here (in addition to monitoring my systems). > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > On 8/21/06, gentuxx <[EMAIL PROTECTED]> wrote: >> >> I only know a little about XML, so I'm kind of treading water with the >> rules, and configs. But I do know that XML is hierarchical, and that >> the different markup tags have to be defined /somewhere/. So, I'm >> curious, where are the '<log_format>' tags defined? Or, rather, where >> are the log formats defined? Is that in the decoders.xml? What if I >> wanted to define my own log format to monitor, say MySQL, or >> PostGRES? I've tried reading the source, but as much of a scripter as >> I am, C is still beyond me as far as being able to really put it all >> together. So, if I create a decoder in the decoders.xml file which >> contains the regex(es) for MySQL, would I then be able to create a log >> group, and thus rules, using the 'mysql' (or whatever I call it) >> '<log_format>'? >> >> >> - -- gentux echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239 D840 4CF0 39E2 18D3 4A9E -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE6oxpTPA54hjTSp4RAhwLAKCYWEpM8lCBi0ZBcBuLLGCluOKEaQCeMscy V4cDLT+fUmGSh0h7jzf1+do= =byIN -----END PGP SIGNATURE-----
