Hi Nate, On Mon, Mar 7, 2011 at 10:49 AM, Nate Woodward <[email protected]> wrote: > Hi, > > I'm trying to set up some decoders and rules for a piece of software we > use to authenticate Windows AD users to linux boxes. Here's the messages > I'm getting: > > > > OSSEC HIDS Notification. > 2011 Mar 05 22:46:49 > > Received From: (appl2) 192.168.1.4->/var/log/messages > Rule: 100000 fired (level 8) -> "Likewise messages grouped." > Portion of the log(s): > > Mar 5 22:46:48 appl2 centeris-gpagentd[3403]: Failed to apply policy > for user [uid:10201] > > > > I'm trying to extract the uid with the decoders below: > > > > <!-- > - Feb 27 08:52:11 appl2 centeris-gpagentd[3403]: Failed to apply > policy for user [uid:10201] > - Mar 3 02:28:31 appl2 centeris-gpagentd[3403]: Failed to apply > policy for user [uid:830500276] > --> > <decoder name="likewise"> > <program_name>^centeris-gpagentd|^likewise-winbindd</program_name> > </decoder> > > <!-- fill user with uid, since username is not available --> > <decoder name="likewise-user-policy-fail"> > <parent>likewise</parent> > <prematch>^Failed to apply policy for user </prematch> > <regex offset="after_prematch">[uid:(\d+)]</regex> > <order>user</order> > </decoder> > > > > And I'm trying to capture the "likewise-user-policy-fail" decoded events > with rule 100003 below: > > > > <group name="syslog,likewise,"> > <rule id="100000" level="8"> > <decoded_as>likewise</decoded_as> > <description>Likewise messages grouped.</description> > </rule> > > <rule id="100003" level="8"> > <decoded_as>likewise-user-policy-fail</decoded_as> > <description>Likewise user group policy failure</description> > <group>client_misconfig,</group> > </rule> > </group> > > > > However, the messages I'm getting above are from rule 100000 instead. > What am I doing wrong here? I can't see anything that's different from > what the documentation suggests, or from the rules and decoders packaged > with OSSEC. > > -Nate >
Rules that are decoded by child decoders use the name of the parent decoder. Any rule that uses the likewise-user-policy-fail decoder will identify themselves as using the likewise decoder. You might be able to use the "use_own_name" option to make your way work, but I've found just using the parent decoder's name easier.
