[ossec-list] Re: Question about local_rules and "match"

[Aurora Mazzone]

Before:

[EMAIL PROTECTED] ~]# echo "Nov  2 09:59:48 satyr seahorse-agent[6175]: 
Failed to send buffer" |ossec-logtest
2008/11/03 13:30:30 ossec-testrule: INFO: Started (pid: 13176).
ossec-testrule: Type one log per line.



**Phase 1: Completed pre-decoding.
        full event: 'Nov  2 09:59:48 satyr seahorse-agent[6175]: Failed 
to send buffer'
        hostname: 'satyr'
        program_name: 'seahorse-agent'
        log: 'Failed to send buffer'

**Phase 2: Completed decoding.
        No decoder matched.

**Phase 3: Completed filtering (rules).
        Rule id: '1002'
        Level: '2'
        Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.

I think you can focus on decoded (in pre-decoding phase) program_name 
and error message "Failed to send buffer" to be more accurate.

Rule in local_rules.xml:

------------------------------------------------------------------

<rule id="100199" level="0">
<program_name>seahorse-agent</program_name>
<match>^Failed to send buffer</match>
<description>Ignore sea-horse failure to send buffer</description>
   </rule>
</group>

------------------------------------------------------------------

(Rule id I've chosen is just an example.)


After:

[EMAIL PROTECTED] ~]# echo "Nov  2 09:59:48 satyr seahorse-agent[6175]: 
Failed to send buffer" |ossec-logtest
2008/11/03 13:33:29 ossec-testrule: INFO: Started (pid: 13280).
ossec-testrule: Type one log per line.



**Phase 1: Completed pre-decoding.
        full event: 'Nov  2 09:59:48 satyr seahorse-agent[6175]: Failed 
to send buffer'
        hostname: 'satyr'
        program_name: 'seahorse-agent'
        log: 'Failed to send buffer'

**Phase 2: Completed decoding.
        No decoder matched.

**Phase 3: Completed filtering (rules).
        Rule id: '100199'
        Level: '0'
        Description: 'Ignore sea-horse failure to send buffer'


Let me know if it works for you :)

Aurora





Kayvan A. Sylvan ha scritto:
> This questions is along the same lines as my other query about regex maching.
> 
> I am getting these notifications:
> 
>   Received From: satyr->/var/log/messages
>   Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
>   Portion of the log(s):
> 
>   Nov  2 09:59:48 satyr seahorse-agent[6175]: Failed to send buffer
> 
> But I have the following in local_rules.xml:
> 
>   <rule id="100040" level="0">
>     <if_sid>1002</if_sid>
>     <match>seahorse-agent</match>
>     <description>Ignore sea-horse failure to send buffer</description>
>   </rule>
> 
> So, what am I doing wrong?
> 
>                       ---Kayvan