Re: [ossec-list] Re: Tomcat 6 log4j output log

Tue, 09 Aug 2011 11:46:25 -0700 

<decoder name="cartwright">
  <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d.\d\d\d\d DEBUG </prematch>
  <regex>P_Username=(\S+) \.+P_PassWord=(\S+) \.+P_IPAddress=(\S+)
\.+P_ComputerName=(\S+) \.+ DBCall \p(\d+)\p </regex>
  <order>dstuser, extra_data, srcip, url, status</order>
</decoder>


Hopefully this application logs to its own file, because you'll need
to use the multi-line localfile option. The documentation is a bit
lacking at the moment, so here is what I used:
  <localfile>
    <log_format>multi-line: 7</log_format>
    <location>/var/log/testing</location>
  </localfile>

The 7 is the number of lines in each log message.

On Tue, Aug 9, 2011 at 7:12 AM, David Cartwright <[email protected]> wrote:
> Got to admit that my efforts on decoders haven't been too successful.
>
> Yes, the lines wrapped, so each line starts with the date in format
> 2011-08-09 ....
>
> cheers .. .david
>
> On Aug 9, 8:52 pm, "dan (ddp)" <[email protected]> wrote:
>> What do you have so far?
>> Are those single line logs?
>> On Aug 9, 2011 6:50 AM, "David Cartwright" <[email protected]> wrote:
>>
>>
>>
>>
>>
>>
>>
>> > I have the following log4j output from Tomcat 6 for which I am hoping
>> > I can get help on a decoder.
>>
>> > Goal is to extract the username, password, IP address, Computer Name,
>> > and the final DBCall [x] reference that is 0 for failed login or 1 for
>> > successful login.
>>
>> > 2011-08-09 15:47:24.0196 DEBUG http-8443-4 gwt-log - DBCall
>> > [PARAM]P_Username=dummy
>> > 2011-08-09 15:47:24.0196 DEBUG http-8443-4 gwt-log - DBCall
>> > [PARAM]P_PassWord=dummypassword
>> > 2011-08-09 15:47:24.0196 DEBUG http-8443-4 gwt-log - DBCall
>> > [PARAM]P_IPAddress=222.333.444.555
>> > 2011-08-09 15:47:24.0702 DEBUG http-8443-4 gwt-log - DBCall
>> > [PARAM]P_ComputerName=dummy.domain.com
>> > 2011-08-09 15:47:24.0702 DEBUG http-8443-4 gwt-log - DBCall [PARAM]
>> > [OUT]P_ErrorCode
>> > 2011-08-09 15:47:24.0702 DEBUG http-8443-4 gwt-log - DBCall [PARAM]
>> > [OUT]P_ErrorDescription
>> > 2011-08-09 15:47:24.0746 DEBUG http-8443-4 gwt-log - DBCall [0]
>> > Finish : Proc_Session_Create(?,?,?,?,?,?) : Took 1425 ms
>>
>> > many thanks .. david

Reply via email to