Hi all,
I seem to have run into trouble using command log format handling.
There's a log file that contains XML which spans multiple lines, so I
wrote a Python script to flatten it so the agent process can pick up
each entry and send it to the server. That didn't work, so I tried
copying the log file to the server directly, but that didn't trigger an
alert either.
To debug this, I've greatly simplified the configuration so its easy
to try and reproduce. I can't even get it to "cat" a trivial file and
kick off a sample alert.
I've set it up like so. To the ossec.conf file, I added the
following block:
<localfile>
<location>/tmp/test.log</location>
<log_format>command</log_format>
<command>/bin/cat /tmp/test.log && date > /tmp/time.stamp</command>
</localfile>
Note that the /tmp/time.stamp file will have a timestamp, proving
that the command was successfully executed. In the local_decoder.xml
file, I added:
<decoder name="test">
<prematch>Test</prematch>
</decoder>
<decoder name="test-alert">
<parent>test</parent>
<regex>This(\.*)Test</regex>
<order>action</order>
</decoder>
In local_rules.xml, I added:
<group name="test">
<rule id="100800" level="0">
<decoded_as>test</decoded_as>
<description>Test</description>
</rule>
<rule id="100801" level="7">
<if_sid>100800</if_sid>
<description>Test alert</description>
</rule>
</group>
I created the log file (note that it is world-readable):
# ls -al /tmp/test.log
-rw-r--r-- 1 root root 92 2011-11-07 23:01 /tmp/test.log
# cat /tmp/test.log
This is a test.
This is a Test.
This is another Test.
This is a test with a lowercase 't'.
#
I restarted OSSEC, and found that the command ran successfully:
# cat /tmp/time.stamp
Mon Nov 7 23:01:29 EST 2011
#
... but no alert was generated. I checked to make sure that the
decoder & rule was written correctly:
# /usr/local/bin/ossec-logtest
2011/11/07 23:08:34 ossec-testrule: INFO: Reading local decoder file.
2011/11/07 23:08:34 ossec-testrule: INFO: Started (pid: 25104).
ossec-testrule: Type one log per line.
This is a Test.
**Phase 1: Completed pre-decoding.
full event: 'This is a Test.'
hostname: 'ossec_server'
program_name: '(null)'
log: 'This is a Test.'
**Phase 2: Completed decoding.
decoder: 'test'
action: ' is a '
**Phase 3: Completed filtering (rules).
Rule id: '100801'
Level: '7'
Description: 'Test alert'
**Alert to be generated.
Thus, the decoder & rule appear to be functional, the command is
successfully executed by OSSEC, but yet no alert appears. It would seem
that this is a bug. FYI, this is against OSSEC v2.5.1 (the changelog
for v2.6 doesn't mention this issue).
Might anyone have any suggestions on how to fix this, or should I
just patiently wait for the next revision?
Thanks,
- Joe
