Hi to all. We have a postgresql installation that writes two lines for every query error. For example after executing the query "select * from unexistant_table", the postgresql log file has the following two lines:
May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-17] user@ossec([local]) SELECT ERROR: relation "unexistant_table" does not exist May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-18] user@ossec([local]) SELECT STATEMENT: select * from unexistant_table; We need to send an alert for every query error with attached the relative "STATEMENT". Because our postgres log format is different from that bundled with ossec, we wrote our decoder and our rules. The decoder (edistar_pgsql) works fine. The rules works ok for single events. For sending the previous two lines within the same alert we created a composite rule with a very restricted timeframe, so the two events will be grouped together. He are the relevant rules written so far: <group name="edistar_pgsql,"> <rule id="100500" level="0"> <decoded_as>edistar_postgresql</decoded_as> <description>Edistar PostgreSQL messages grouped.</description> </rule> <rule id="100501" level="4"> <if_sid>100500</if_sid> <status>ERROR|STATEMENT</status> <description>PostgreSQL error message and relative statement.</description> <group>pgsql_query_failures,</group> </rule> <rule id="100502" level="8" frequency="2" timeframe="1" ignore="0"> <if_matched_group>pgsql_query_failures</if_matched_group> <description>PostgreSQL error message. Query attached.</description> </rule </group> The composite rule does not work as expected. In order to trigger it, two query error must be generated in the timeframe, so the log would be: May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-17] user@ossec([local]) SELECT ERROR: relation "unexistant_table" does not exist May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-18] user@ossec([local]) SELECT STATEMENT: select * from unexistant_table; May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-17] user@ossec([local]) SELECT ERROR: relation "unexistant_table" does not exist May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-18] user@ossec([local]) SELECT STATEMENT: select * from unexistant_table; In this case OSSEC would generate an alert with only two lines (the second and the third). Can you help me? Is there another way to get the correct result? Thank you in advance for your help, Denis Inviato da iPad
