-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Daniel Cid wrote:
>
> For this log, you can just create a new rule for it without the
> decoder. You
> only need the decoder if you want to extract specific values from the log
> (like srcip, username, etc). An example rule would be:
>
I want to capture the "C=nnnn" value. I remember seeing somewhere
(maybe in the source) that there are only certain variable that can be
used. Is this true?
Can I copy/paste/rename the following section of code (and recompile) to
create a custom set of variables?
void *Url_FP(Eventinfo *lf, char *field)
{
lf->url = field;
return(NULL);
}
> <group name="cpu-stuff,syslog">
> <rule id="12345" level=0">
> <match>^MBM</match>
> <description>Logs that start with MBM</description>
> </rule>
>
> <rule id="123456" level="10">
> <if_sid>12345</if_sid>
> <match>C=2500</match>
> <description>C=2500 comment</description>
> </rule>
> </group>
>
[...snip...]
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
Logically, I would like to create a rule that would fire if a captured
value is higher or lower than a given amount or another captured value.
So, pseudocode for the example line below would look something like this:
capture "C=(\d+) LA=(\d+) HA=(\d+)"
if C > HA OR C < LA
fire alert
Is this level of logic built into the rules handling?
>
>
> On 8/22/06, gentuxx <[EMAIL PROTECTED]> wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> So, if I wanted to monitor a log that *was* a 1 line entry, but is not a
>> standard log, would I need to create a decoder for it in decoder.xml?
>> For example, I have a Windows system that is syslogging Voltage/Fan/CPU
>> usage data to a central syslog server (which also happens to be my ossec
>> server). Given a line similar to this:
>>
>> Aug 21 21:38:07 192.168.0.100 MBM[Fan 1]: C=2500 LA=1500 HA=99999 L=2463
>> H=2518 A=2499
>>
>> Would I need to create a decoder to capture the c=nnnn field? Then, I
>> would be able to create rules based off of that decoder?
>>
>> Obviously, I'm trying to understand how the hierarchy works here (in
>> addition to monitoring my systems).
>>
>
- --
gentux
echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239 D840 4CF0 39E2
18D3 4A9E
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFE62YBTPA54hjTSp4RAptyAKDQuBx7XLO/boyHxn5vKKbItzIQDgCg8Kwd
joWPKADInU//WkDrfHpDCRw=
=2ppn
-----END PGP SIGNATURE-----
