It worked fine for me. Make sure the decoder pasted nicely. It doesn't look very nice in gmail to me, and weird newlines might mess with things.
On Fri, Oct 22, 2010 at 2:44 PM, vcorreia <[email protected]> wrote: > I did what you said, but on logtest I keep getting this error: > > **Phase 2: Completed decoding. > No decoder matched. > > > Vitor Correia > > On Oct 22, 5:02 pm, "dan (ddp)" <[email protected]> wrote: >> On Fri, Oct 22, 2010 at 11:35 AM, vcorreia <[email protected]> wrote: >> > Hello, >> >> > It looks excelent :) >> >> > I only posted one line of log because all the other lines are the >> > same, only changing the time, ip and the first field which is the >> > common name of the certificate. The second field 'PT' is always the >> > same, i set it up that way in order to have a way for ossec to catch >> > the log entry. >> >> That's fine. I just wanted to make it clear that other log entries >> could be different (as far as I knew), and that they should be tested >> too. :) >> >> >> >> > Where should I put your decoder? How can I go about making it send me >> > email every time a log entry like the one appears? >> >> Put the decoder in /var/ossec/etc/local_decoder.xml (change /var/ossec >> to where-ever you installed ossec). >> >> Adding <options>alert_by_email</options> will make the rule always get >> emailed. Also setting the level high enough to be emailed (I think >> it's 7 and up by default) could do it. >> >> >> >> > Thanks for your help. >> >> > Vitor Correia >> >> > On Oct 21, 3:09 pm, "dan (ddp)" <[email protected]> wrote: >> >> This is a bit rough. I've tested it to make sure it doesn't hurt >> >> anything else, but my tests aren't exhaustive. Also, it's tough with >> >> only 1 log sample to make sure I've got everything. And last but not >> >> least, I didn't look at the other web decoders to make sure the items >> >> I placed in <order> match up to what they use. But here's a decoder: >> >> >> <decoder name="ssl-cert"> >> >> <prematch>^"\.+" "\S+" \S+ - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d \S+] >> >> </prematch> >> >> <regex>^"(\.+)" "(\S+)" (\S+) - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d >> >> \p\d+] "(\S+) (\.+) HTTP/\d.\d" (\d+) \d+ "\.+" "(\.+)</regex> >> >> <order>srcuser,id,srcip,action,url,status,extra_data</order> >> >> </decoder> >> >> >> Here's what it looks like going through logtest: >> >> # /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf >> >> 2010/10/21 10:01:02 ossec-testrule: INFO: Reading local decoder file. >> >> 2010/10/21 10:01:02 ossec-testrule: INFO: Started (pid: 23246). >> >> ossec-testrule: Type one log per line. >> >> >> "Vitor Correia" "PT" 89.155.91.201 - - [21/Oct/2010:01:48:13 +0100] >> >> "GET /collect/main/ HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows; U; >> >> Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11" >> >> >> **Phase 1: Completed pre-decoding. >> >> full event: '"Vitor Correia" "PT" 89.155.91.201 - - >> >> [21/Oct/2010:01:48:13 +0100] "GET /collect/main/ HTTP/1.1" 200 2970 >> >> "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) >> >> Gecko/20101012 Firefox/3.6.11"' >> >> hostname: 'ix' >> >> program_name: '(null)' >> >> log: '"Vitor Correia" "PT" 89.155.91.201 - - >> >> [21/Oct/2010:01:48:13 +0100] "GET /collect/main/ HTTP/1.1" 200 2970 >> >> "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) >> >> Gecko/20101012 Firefox/3.6.11"' >> >> >> **Phase 2: Completed decoding. >> >> decoder: 'ssl-cert' >> >> srcuser: 'Vitor Correia' >> >> id: 'PT' >> >> srcip: '89.155.91.201' >> >> action: 'GET' >> >> url: '/collect/main/' >> >> status: '200' >> >> extra_data: 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; >> >> rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11"' >> >> >> To write a rule you'd use something like: >> >> <rule id="NUMBER" level="NUMBER"> >> >> <id>PT</id> >> >> <description>something</description> >> >> </rule> >> >> >> I'd run a bunch of logs through ossec-logtest to make sure it works on >> >> all of them and not just the one you posted. But this should be enough >> >> to get you started. If it doesn't work for another log, feel free to >> >> post back with that log. I can help tune it if you need it. >> >> >> Also, a little self >> >> promotion:http://ddpbsd.blogspot.com/2010/10/ossec-decoders-101.htmlThatblog >> >> post describes writing decoders bit by bit using ossec-logtest to test >> >> it out. >> >> HTH! >> >> dan >> >> >> On Wed, Oct 20, 2010 at 8:56 PM, vcorreia <[email protected]> wrote: >> >> > Hello everyone, >> >> >> > How can I go about writing a decoder/rule to send me an email every >> >> > time a log entry like this is registered? >> >> >> > "Vitor Correia" "PT" 89.155.91.201 - - [21/Oct/2010:01:48:13 +0100] >> >> > "GET /collect/main/ HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows; U; >> >> > Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11" >> >> >> > I'm interested in catching the bit which says "PT", that will be the >> >> > bit that will always appear. >> >> >> > Thanks in advance. >> >> >> > Vitor Correia
