Your decoder includes "<program_name>^httpd</program_name>", but the output from logtest has a null program_name: > program_name: '(null)'
Remove that line and it may work (I can't test at the moment). On Fri, Oct 22, 2010 at 3:29 PM, vcorreia <[email protected]> wrote: > No luck. > > I've created the following local_decoder.xml file in /var/ossec/etc: > > <decoder name="ssl-cert"> > <program_name>^httpd</program_name> > <prematch>^"\.+" "\S+" \S+ - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d \S+] > </prematch> > <regex>^"(\.+)" "(\S+)" (\S+) - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d > \p\d+] "(\S+) (\.+) HTTP/\d.\d" (\d+) \d+ "\.+" "(\.+)</regex> > <order>srcuser,id,srcip,action,url,status,extra_data</order> > </decoder> > > > Then I've appended the following to apache_rules in /var/ossec/rules: > > <rule id="30203" level="7"> > <id>PT</id> > <description>Apache SSL Certificate access</description> > </rule> > > > I run logtest and this is what I get: > > > "Vitor Correia" "PT" 89.155.91.201 - - [22/Oct/2010:19:32:15 +0100] > "GET /collect/imagens/iconconnect.ico HTTP/1.1" 404 1419 "-" "Mozilla/ > 5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 > Firefox/3.6.11" > > > **Phase 1: Completed pre-decoding. > full event: '"Vitor Correia" "PT" 89.155.91.201 - - [22/Oct/ > 2010:19:32:15 +0100] "GET /collect/imagens/iconconnect.ico HTTP/1.1" > 404 1419 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: > 1.9.2.11) Gecko/20101012 Firefox/3.6.11"' > hostname: 'www' > program_name: '(null)' > log: '"Vitor Correia" "PT" 89.155.91.201 - - [22/Oct/ > 2010:19:32:15 +0100] "GET /collect/imagens/iconconnect.ico HTTP/1.1" > 404 1419 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: > 1.9.2.11) Gecko/20101012 Firefox/3.6.11"' > > **Phase 2: Completed decoding. > No decoder matched. > > :( > > Vitor Correia > > > On Oct 22, 7:49 pm, "dan (ddp)" <[email protected]> wrote: >> It worked fine for me. Make sure the decoder pasted nicely. It doesn't >> look very nice in gmail to me, and weird newlines might mess with >> things. >> >> On Fri, Oct 22, 2010 at 2:44 PM, vcorreia <[email protected]> wrote: >> > I did what you said, but on logtest I keep getting this error: >> >> > **Phase 2: Completed decoding. >> > No decoder matched. >> >> > Vitor Correia >> >> > On Oct 22, 5:02 pm, "dan (ddp)" <[email protected]> wrote: >> >> On Fri, Oct 22, 2010 at 11:35 AM, vcorreia <[email protected]> wrote: >> >> > Hello, >> >> >> > It looks excelent :) >> >> >> > I only posted one line of log because all the other lines are the >> >> > same, only changing the time, ip and the first field which is the >> >> > common name of the certificate. The second field 'PT' is always the >> >> > same, i set it up that way in order to have a way for ossec to catch >> >> > the log entry. >> >> >> That's fine. I just wanted to make it clear that other log entries >> >> could be different (as far as I knew), and that they should be tested >> >> too. :) >> >> >> > Where should I put your decoder? How can I go about making it send me >> >> > email every time a log entry like the one appears? >> >> >> Put the decoder in /var/ossec/etc/local_decoder.xml (change /var/ossec >> >> to where-ever you installed ossec). >> >> >> Adding <options>alert_by_email</options> will make the rule always get >> >> emailed. Also setting the level high enough to be emailed (I think >> >> it's 7 and up by default) could do it. >> >> >> > Thanks for your help. >> >> >> > Vitor Correia >> >> >> > On Oct 21, 3:09 pm, "dan (ddp)" <[email protected]> wrote: >> >> >> This is a bit rough. I've tested it to make sure it doesn't hurt >> >> >> anything else, but my tests aren't exhaustive. Also, it's tough with >> >> >> only 1 log sample to make sure I've got everything. And last but not >> >> >> least, I didn't look at the other web decoders to make sure the items >> >> >> I placed in <order> match up to what they use. But here's a decoder: >> >> >> >> <decoder name="ssl-cert"> >> >> >> <prematch>^"\.+" "\S+" \S+ - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d \S+] >> >> >> </prematch> >> >> >> <regex>^"(\.+)" "(\S+)" (\S+) - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d >> >> >> \p\d+] "(\S+) (\.+) HTTP/\d.\d" (\d+) \d+ "\.+" "(\.+)</regex> >> >> >> <order>srcuser,id,srcip,action,url,status,extra_data</order> >> >> >> </decoder> >> >> >> >> Here's what it looks like going through logtest: >> >> >> # /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf >> >> >> 2010/10/21 10:01:02 ossec-testrule: INFO: Reading local decoder file. >> >> >> 2010/10/21 10:01:02 ossec-testrule: INFO: Started (pid: 23246). >> >> >> ossec-testrule: Type one log per line. >> >> >> >> "Vitor Correia" "PT" 89.155.91.201 - - [21/Oct/2010:01:48:13 +0100] >> >> >> "GET /collect/main/ HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows; U; >> >> >> Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11" >> >> >> >> **Phase 1: Completed pre-decoding. >> >> >> full event: '"Vitor Correia" "PT" 89.155.91.201 - - >> >> >> [21/Oct/2010:01:48:13 +0100] "GET /collect/main/ HTTP/1.1" 200 2970 >> >> >> "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) >> >> >> Gecko/20101012 Firefox/3.6.11"' >> >> >> hostname: 'ix' >> >> >> program_name: '(null)' >> >> >> log: '"Vitor Correia" "PT" 89.155.91.201 - - >> >> >> [21/Oct/2010:01:48:13 +0100] "GET /collect/main/ HTTP/1.1" 200 2970 >> >> >> "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) >> >> >> Gecko/20101012 Firefox/3.6.11"' >> >> >> >> **Phase 2: Completed decoding. >> >> >> decoder: 'ssl-cert' >> >> >> srcuser: 'Vitor Correia' >> >> >> id: 'PT' >> >> >> srcip: '89.155.91.201' >> >> >> action: 'GET' >> >> >> url: '/collect/main/' >> >> >> status: '200' >> >> >> extra_data: 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; >> >> >> rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11"' >> >> >> >> To write a rule you'd use something like: >> >> >> <rule id="NUMBER" level="NUMBER"> >> >> >> <id>PT</id> >> >> >> <description>something</description> >> >> >> </rule> >> >> >> >> I'd run a bunch of logs through ossec-logtest to make sure it works on >> >> >> all of them and not just the one you posted. But this should be enough >> >> >> to get you started. If it doesn't work for another log, feel free to >> >> >> post back with that log. I can help tune it if you need it. >> >> >> >> Also, a little self >> >> >> promotion:http://ddpbsd.blogspot.com/2010/10/ossec-decoders-101.htmlThatblog >> >> >> post describes writing decoders bit by bit using ossec-logtest to test >> >> >> it out. >> >> >> HTH! >> >> >> dan >> >> >> >> On Wed, Oct 20, 2010 at 8:56 PM, vcorreia <[email protected]> wrote: >> >> >> > Hello everyone, >> >> >> >> > How can I go about writing a decoder/rule to send me an email every >> >> >> > time a log entry like this is registered? >> >> >> >> > "Vitor Correia" "PT" 89.155.91.201 - - [21/Oct/2010:01:48:13 +0100] >> >> >> > "GET /collect/main/ HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows; U; >> >> >> > Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11" >> >> >> >> > I'm interested in catching the bit which says "PT", that will be the >> >> >> > bit that will always appear. >> >> >> >> > Thanks in advance. >> >> >> >> > Vitor Correia
