Hi,
I'm trying to set up some decoders and rules for a piece of software we
use to authenticate Windows AD users to linux boxes. Here's the messages
I'm getting:
OSSEC HIDS Notification.
2011 Mar 05 22:46:49
Received From: (appl2) 192.168.1.4->/var/log/messages
Rule: 100000 fired (level 8) -> "Likewise messages grouped."
Portion of the log(s):
Mar 5 22:46:48 appl2 centeris-gpagentd[3403]: Failed to apply policy
for user [uid:10201]
I'm trying to extract the uid with the decoders below:
<!--
- Feb 27 08:52:11 appl2 centeris-gpagentd[3403]: Failed to apply
policy for user [uid:10201]
- Mar 3 02:28:31 appl2 centeris-gpagentd[3403]: Failed to apply
policy for user [uid:830500276]
-->
<decoder name="likewise">
<program_name>^centeris-gpagentd|^likewise-winbindd</program_name>
</decoder>
<!-- fill user with uid, since username is not available -->
<decoder name="likewise-user-policy-fail">
<parent>likewise</parent>
<prematch>^Failed to apply policy for user </prematch>
<regex offset="after_prematch">[uid:(\d+)]</regex>
<order>user</order>
</decoder>
And I'm trying to capture the "likewise-user-policy-fail" decoded events
with rule 100003 below:
<group name="syslog,likewise,">
<rule id="100000" level="8">
<decoded_as>likewise</decoded_as>
<description>Likewise messages grouped.</description>
</rule>
<rule id="100003" level="8">
<decoded_as>likewise-user-policy-fail</decoded_as>
<description>Likewise user group policy failure</description>
<group>client_misconfig,</group>
</rule>
</group>
However, the messages I'm getting above are from rule 100000 instead.
What am I doing wrong here? I can't see anything that's different from
what the documentation suggests, or from the rules and decoders packaged
with OSSEC.
-Nate
