Hello list,
I have an odd problem and I'm hoping more sets of eyes can help.
I've made the following decoder:
<decoder name="heartbeat">
<parent>ossec-alert</parent>
<use_own_name>true</use_own_name>
<regex>Heartbeat: (\w*)\s*\d*\s\S*\s(\w)\s*(\S*)</regex>
<order>user,status,data</order>
</decoder>
When I run it through ossec-logtest, I get:
2010/09/24 16:44:56 ossec-testrule: INFO: Started (pid: 6332).
ossec-testrule: Type one log per line.
Sep 24 16:32:25 vm-test ossec: Heartbeat: root 3255 15:59 S /
opt/ossec/bin/ossec-logcollector
**Phase 1: Completed pre-decoding.
full event: 'Sep 24 16:32:25 vm-test ossec: Heartbeat:
root 3255 15:59 S /opt/ossec/bin/ossec-logcollector'
hostname: 'vm-test'
program_name: 'ossec'
log: 'Heartbeat: root 3255 15:59 S /opt/ossec/bin/ossec-
logcollector'
**Phase 2: Completed decoding.
decoder: 'ossec-alert'
dstuser: 'root'
status: 'S'
extra_data: '/opt/ossec/bin/ossec-logcollector'
[r...@vm-test bin]#
It stops there, and logtest never fires my custom rules, which use the
<decoded_as>heartbeat</decoded_as> tag:
<rule id="101000" level="0">
<decoded_as>heartbeat</decoded_as>
<description>OSSEC heartbeat events grouped</description>
</rule>
I saw in an earlier post that there's a bug in logtest that doesn't
allow the child decoder's name to show up in logtest, but any custom
rules that fire based on the child decoder's name should work if the
<use_own_name> tag is present. I can tell the child decoder is firing,
because if I test the log with just the ossec-alert decoder, I don't
see the dstuser, status, and extra_data fields in logtest. However,
the child decoder's name isn't getting passed to my custom rule, so
the rule isn't firing. This happens in both logtest and the full OSSEC
manager (after restarting OSSEC with the custom decoder and rules).
We ran this by Daniel Cid already, and he was equally puzzled:
"It worked fine for me when I added the <prematch>Heartbeat</prematch>
to the decoder. But even without, it should have worked. Maybe you
have another rule matching on it before the 101000?"
I can't find any rules that match on a decoder name of "ossec-alert"
at all, and I can't think of any other rules that this log would
trigger before getting to my custom rule. It does work if, as Daniel
suggested, I add the <prematch> tags, but that doesn't make much sense
either.
I'm worried that even if I use it with the <prematch> tags, my decoder
will break something behind the scenes. I'm hoping more sets of eyes
can pick out what's going on, and help me get this thing working
properly. Why doesn't my decoder's name get passed using
<use_own_name>? Why does adding a <prematch> make it work?
Thanks in advance!
-Alisha Kloc
