On Fri, Jan 15, 2010 at 9:06 AM, spyder <[email protected]> wrote: > Greetings, > > I have just installed OSSEC for testing and so far liking what I see. > We have a custom app that creates logfiles and I have a couple > questions on how to get OSSEC to monitor these logs in real time. The > app is a real time interface and I need to alert on when it can't > connect to a remote service which is in the logfile. > > 1) The logfile name is in format of 'errorYYYYMMDD.log' and the app > rotates/opens a new logfile each day. Is there a way to monitor a > logfile that has a name that changes daily? > > 2) The logfile has entries in the format of the following where NNNN > is a 4 digit numeric error number > YYYY-MM-DD HH:MM:SS.MMMM ERROR: NNNN text string > > TIA >
2: Look at $OSSEC_HOME/bin/ossec-logtest ( http://www.ossec.net/main/manual/manual-testing-ossec-rules/ and http://www.ossec.net/main/manual/creating-a-separated-directory-for-testing-ossec-rulesconfig/ ) It will help you determine how ossec currently parses the logs, and is super helpful for writing decoders and rules. For example, using the format above I was able to create the following decoder in $OSSEC_HOME/etc/local_decoder.xml: <decoder name="custom-app"> <prematch>\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d.\d\d\d\d ERROR:</prematch> <regex offset="after_prematch"> (\d\d\d\d) (.*)$</regex> <order>id,extra_data</order> </decoder> And tested it using the following fake log message: 2010-01-14 01:01:01.1234 ERROR: 9999 blah blah ossec-logtest gives the following output: **Phase 1: Completed pre-decoding. full event: '2010-01-14 01:01:01.1234 ERROR: 9999 blah blah' hostname: 'ix' program_name: '(null)' log: '2010-01-14 01:01:01.1234 ERROR: 9999 blah blah' **Phase 2: Completed decoding. decoder: 'custom-app' **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '2' Description: 'Unknown problem somewhere in the system.' **Alert to be generated.
