Dan, > -----Original Message----- > From: dan (ddp) [mailto:[email protected]] > Sent: Monday, March 07, 2011 10:35 AM > To: [email protected] > Subject: Re: [ossec-list] Decoder/Rules Problem > > Hi Nate, > > On Mon, Mar 7, 2011 at 10:49 AM, Nate Woodward > <[email protected]> wrote: > > Hi, > > > > I'm trying to set up some decoders and rules for a piece of > software > > we use to authenticate Windows AD users to linux boxes. Here's the > > messages I'm getting: > > > > > > > > OSSEC HIDS Notification. > > 2011 Mar 05 22:46:49 > > > > Received From: (appl2) 192.168.1.4->/var/log/messages > > Rule: 100000 fired (level 8) -> "Likewise messages grouped." > > Portion of the log(s): > > > > Mar 5 22:46:48 appl2 centeris-gpagentd[3403]: Failed to > apply policy > > for user [uid:10201] > > > > > > > > I'm trying to extract the uid with the decoders below: > > > > > > > > <!-- > > - Feb 27 08:52:11 appl2 centeris-gpagentd[3403]: Failed to apply > > policy for user [uid:10201] > > - Mar 3 02:28:31 appl2 centeris-gpagentd[3403]: Failed to apply > > policy for user [uid:830500276] > > --> > > <decoder name="likewise"> > > <program_name>^centeris-gpagentd|^likewise-winbindd</program_name> > > </decoder> > > > > <!-- fill user with uid, since username is not available > --> <decoder > > name="likewise-user-policy-fail"> > > <parent>likewise</parent> > > <prematch>^Failed to apply policy for user </prematch> > > <regex offset="after_prematch">[uid:(\d+)]</regex> > > <order>user</order> > > </decoder> > > > > > > > > And I'm trying to capture the "likewise-user-policy-fail" decoded > > events with rule 100003 below: > > > > > > > > <group name="syslog,likewise,"> > > <rule id="100000" level="8"> > > <decoded_as>likewise</decoded_as> > > <description>Likewise messages grouped.</description> > > </rule> > > > > <rule id="100003" level="8"> > > <decoded_as>likewise-user-policy-fail</decoded_as> > > <description>Likewise user group policy failure</description> > > <group>client_misconfig,</group> > > </rule> > > </group> > > > > > > > > However, the messages I'm getting above are from rule > 100000 instead. > > What am I doing wrong here? I can't see anything that's > different from > > what the documentation suggests, or from the rules and decoders > > packaged with OSSEC. > > > > -Nate > > > > Rules that are decoded by child decoders use the name of the > parent decoder. Any rule that uses the > likewise-user-policy-fail decoder will identify themselves as > using the likewise decoder. > You might be able to use the "use_own_name" option to make > your way work, but I've found just using the parent decoder's > name easier. > >
Ah, okay. In that case, I'll try this instead: > > <rule id="100003" level="8"> > > <if_sid>100000</if_sid> > > <match>^Failed to apply policy for user</match> > > <description>Likewise user group policy failure</description> > > <group>client_misconfig,</group> > > </rule> Thanks for the help!
