I tested with frequency=0. The alarm is triggered at the receival of the second line but the email with the alarms contains only the last row and not the first (that with the error)... :-(
Denis ----- Messaggio originale ----- Da: "Denis Gasparin" <[email protected]> A: [email protected] Cc: [email protected] Inviato: Venerdì, 27 maggio 2011 15:33:44 Oggetto: Re: [ossec-list] Help on composite rules >From what I read, I should set frequency to 0 in order to get the alarm every >2 events. I'll try and let you know.. The 1005001 fires. Thank you Denis Il giorno 27/mag/2011, alle ore 14:22, "dan (ddp)" <[email protected]> ha scritto: > Does 100501 fire? > > It may be a "frequency" issue, take a look at the following thread, it > may be useful: > http://marc.info/?l=ossec-list&m=129736702512080&w=2 > > On Thu, May 26, 2011 at 4:28 PM, Denis Gasparin > <[email protected]> wrote: >> >> Hi to all. >> >> We have a postgresql installation that writes two lines for every query >> error. For example after executing the query "select * from >> unexistant_table", the postgresql log file has the following two lines: >> >> May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-17] >> user@ossec([local]) SELECT ERROR: relation "unexistant_table" does not >> exist >> May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-18] >> user@ossec([local]) SELECT STATEMENT: select * from unexistant_table; >> >> We need to send an alert for every query error with attached the relative >> "STATEMENT". >> >> Because our postgres log format is different from that bundled with ossec, >> we wrote our decoder and our rules. >> >> The decoder (edistar_pgsql) works fine. The rules works ok for single >> events. >> For sending the previous two lines within the same alert we created a >> composite rule with a very restricted timeframe, so the two events will be >> grouped together. He are the relevant rules written so far: >> >> <group name="edistar_pgsql,"> >> <rule id="100500" level="0"> >> <decoded_as>edistar_postgresql</decoded_as> >> <description>Edistar PostgreSQL messages grouped.</description> >> </rule> >> >> <rule id="100501" level="4"> >> <if_sid>100500</if_sid> >> <status>ERROR|STATEMENT</status> >> <description>PostgreSQL error message and relative >> statement.</description> >> <group>pgsql_query_failures,</group> >> </rule> >> >> <rule id="100502" level="8" frequency="2" timeframe="1" ignore="0"> >> <if_matched_group>pgsql_query_failures</if_matched_group> >> <description>PostgreSQL error message. Query attached.</description> >> </rule >> </group> >> >> The composite rule does not work as expected. In order to trigger it, two >> query error must be generated in the timeframe, so the log would be: >> May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-17] >> user@ossec([local]) SELECT ERROR: relation "unexistant_table" does not >> exist >> May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-18] >> user@ossec([local]) SELECT STATEMENT: select * from unexistant_table; >> May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-17] >> user@ossec([local]) SELECT ERROR: relation "unexistant_table" does not >> exist >> May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-18] >> user@ossec([local]) SELECT STATEMENT: select * from unexistant_table; >> >> In this case OSSEC would generate an alert with only two lines (the second >> and the third). >> >> Can you help me? Is there another way to get the correct result? >> >> Thank you in advance for your help, >> Denis >> Inviato da iPad
