Bump, since I suspect this got lost in the Friday shuffle.... Anyone have any insight as to why this particular decoder is behaving strangely? We need this decoder/rule chain, but I don't want to risk something down the road turning up broken.
Thanks! -Alisha Kloc On Sep 24, 1:27 pm, Alisha Kloc <[email protected]> wrote: > Hello list, > > I have an odd problem and I'm hoping more sets of eyes can help. > > I've made the following decoder: > > <decoder name="heartbeat"> > <parent>ossec-alert</parent> > <use_own_name>true</use_own_name> > <regex>Heartbeat: (\w*)\s*\d*\s\S*\s(\w)\s*(\S*)</regex> > <order>user,status,data</order> > </decoder> > > When I run it through ossec-logtest, I get: > > 2010/09/24 16:44:56 ossec-testrule: INFO: Started (pid: 6332). > ossec-testrule: Type one log per line. > > Sep 24 16:32:25 vm-test ossec: Heartbeat: root 3255 15:59 S / > opt/ossec/bin/ossec-logcollector > > **Phase 1: Completed pre-decoding. > full event: 'Sep 24 16:32:25 vm-test ossec: Heartbeat: > root 3255 15:59 S /opt/ossec/bin/ossec-logcollector' > hostname: 'vm-test' > program_name: 'ossec' > log: 'Heartbeat: root 3255 15:59 S /opt/ossec/bin/ossec- > logcollector' > > **Phase 2: Completed decoding. > decoder: 'ossec-alert' > dstuser: 'root' > status: 'S' > extra_data: '/opt/ossec/bin/ossec-logcollector' > > [r...@vm-test bin]# > > It stops there, and logtest never fires my custom rules, which use the > <decoded_as>heartbeat</decoded_as> tag: > > <rule id="101000" level="0"> > <decoded_as>heartbeat</decoded_as> > <description>OSSEC heartbeat events grouped</description> > </rule> > > I saw in an earlier post that there's a bug in logtest that doesn't > allow the child decoder's name to show up in logtest, but any custom > rules that fire based on the child decoder's name should work if the > <use_own_name> tag is present. I can tell the child decoder is firing, > because if I test the log with just the ossec-alert decoder, I don't > see the dstuser, status, and extra_data fields in logtest. However, > the child decoder's name isn't getting passed to my custom rule, so > the rule isn't firing. This happens in both logtest and the full OSSEC > manager (after restarting OSSEC with the custom decoder and rules). > > We ran this by Daniel Cid already, and he was equally puzzled: > > "It worked fine for me when I added the <prematch>Heartbeat</prematch> > to the decoder. But even without, it should have worked. Maybe you > have another rule matching on it before the 101000?" > > I can't find any rules that match on a decoder name of "ossec-alert" > at all, and I can't think of any other rules that this log would > trigger before getting to my custom rule. It does work if, as Daniel > suggested, I add the <prematch> tags, but that doesn't make much sense > either. > > I'm worried that even if I use it with the <prematch> tags, my decoder > will break something behind the scenes. I'm hoping more sets of eyes > can pick out what's going on, and help me get this thing working > properly. Why doesn't my decoder's name get passed using > <use_own_name>? Why does adding a <prematch> make it work? > > Thanks in advance! > -Alisha Kloc
