Hey Reggie, I'm not sure if this is the best method but it seems to get the job done. All I did was add <type>firewall</type> to the parent decoder and then in your custom rule you can use <if_sid>4100</if_sid> which is the standard rule to group firewall logs. This seems to bypass syslog_rules.xml which is where you were getting stuck on the debian match. I'm sure Daniel will chime in with a better method.
cheers, cnk On Thu, Feb 12, 2009 at 3:47 PM, Reggie Griffin <[email protected]> wrote: > > Hello, > > I am having an issue with writing a custom decoder and custom rule set. > Is there a way to tell OSSEC to parse my custom rules file before the > built-in one? I am assuming from these entries when running > ossec-logtest, that it successfully decodes, but then hits the default > syslog ruleset, therefor not getting to my custom one. I added my custom > one just after local_rules.xml Here are the logs. I sent some log > examples in a previous post. > > **Phase 2: Completed decoding. > decoder: 'junipersslvpn' > > **Phase 3: Completed filtering (rules). > Rule id: '2900' > Level: '0' > Description: 'Dpkg (Debian Package) log.' > > > I tried moving my custom rules.xml file above the syslog_rules.xml file > in the ossec.conf file, but I got an error on restart. Any advice would > be welcome. I would add it to the local_rules.xml file, but that file is > started to get rather bloated with entries. > > I am still in the process of learning how OSSEC parses the logs, so > forgive me if this is something obvious. > > -Reggie >
