Hello, I believe you are ignoring your own alert in your rule specification:
<rule id="100800" level="0"> level 0 does not generate an alert . Change that to something else and test again ... Let me know if it worked I am very interested also! Thank you BR On Nov 8, 4:23 pm, Joe Testa <[email protected]> wrote: > Hi all, > > I seem to have run into trouble usingcommandlogformathandling. > There's alogfile that contains XML which spans multiple lines, so I > wrote a Python script to flatten it so the agent process can pick up > each entry and send it to the server. That didn't work, so I tried > copying thelogfile to the server directly, but that didn't trigger an > alert either. > > To debug this, I've greatly simplified the configuration so its easy > to try and reproduce. I can't even get it to "cat" a trivial file and > kick off a sample alert. > > I've set it up like so. To the ossec.conf file, I added the > following block: > > <localfile> > <location>/tmp/test.log</location> > <log_format>command</log_format> > <command>/bin/cat /tmp/test.log&& date > /tmp/time.stamp</command> > </localfile> > > Note that the /tmp/time.stamp file will have a timestamp, proving > that thecommandwas successfully executed. In the local_decoder.xml > file, I added: > > <decoder name="test"> > <prematch>Test</prematch> > </decoder> > > <decoder name="test-alert"> > <parent>test</parent> > <regex>This(\.*)Test</regex> > <order>action</order> > </decoder> > > In local_rules.xml, I added: > > <group name="test"> > <rule id="100800" level="0"> > <decoded_as>test</decoded_as> > <description>Test</description> > </rule> > <rule id="100801" level="7"> > <if_sid>100800</if_sid> > <description>Test alert</description> > </rule> > </group> > > I created thelogfile (note that it is world-readable): > > # ls -al /tmp/test.log > -rw-r--r-- 1 root root 92 2011-11-07 23:01 /tmp/test.log > # cat /tmp/test.log > This is a test. > This is a Test. > This is another Test. > This is a test with a lowercase 't'. > # > > I restarted OSSEC, and found that thecommandran successfully: > > # cat /tmp/time.stamp > Mon Nov 7 23:01:29 EST 2011 > # > > ... but no alert was generated. I checked to make sure that the > decoder & rule was written correctly: > > # /usr/local/bin/ossec-logtest > 2011/11/07 23:08:34 ossec-testrule: INFO: Reading local decoder file. > 2011/11/07 23:08:34 ossec-testrule: INFO: Started (pid: 25104). > ossec-testrule: Type onelogper line. > > This is a Test. > > **Phase 1: Completed pre-decoding. > full event: 'This is a Test.' > hostname: 'ossec_server' > program_name: '(null)' > log: 'This is a Test.' > > **Phase 2: Completed decoding. > decoder: 'test' > action: ' is a ' > > **Phase 3: Completed filtering (rules). > Rule id: '100801' > Level: '7' > Description: 'Test alert' > **Alert to be generated. > > Thus, the decoder & rule appear to be functional, thecommandis > successfully executed by OSSEC, but yet no alert appears. It would seem > that this is a bug. FYI, this is against OSSEC v2.5.1 (the changelog > for v2.6 doesn't mention this issue). > > Might anyone have any suggestions on how to fix this, or should I > just patiently wait for the next revision? > > Thanks, > - Joe
