Hi,
If you notice, I showed that I used /usr/local/bin/ossec-logtest to
check that the rule works properly. It output "**Alert to be
generated.", which shows that the rule is set up correctly.
I put in "<rule id="100800" level="0">" because (last I checked)
that's what the official docs say to do. The real rule is defined
directly underneath it.
I have not been able to solve this problem yet.
Thanks,
- Joe
On 11/17/2011 09:10 AM, alsdks wrote:
Hello,
I believe you are ignoring your own alert in your rule specification:
<rule id="100800" level="0">
level 0 does not generate an alert . Change that to something else and
test again ...
Let me know if it worked I am very interested also!
Thank you
BR
On Nov 8, 4:23 pm, Joe Testa<[email protected]> wrote:
Hi all,
I seem to have run into trouble usingcommandlogformathandling.
There's alogfile that contains XML which spans multiple lines, so I
wrote a Python script to flatten it so the agent process can pick up
each entry and send it to the server. That didn't work, so I tried
copying thelogfile to the server directly, but that didn't trigger an
alert either.
To debug this, I've greatly simplified the configuration so its easy
to try and reproduce. I can't even get it to "cat" a trivial file and
kick off a sample alert.
I've set it up like so. To the ossec.conf file, I added the
following block:
<localfile>
<location>/tmp/test.log</location>
<log_format>command</log_format>
<command>/bin/cat /tmp/test.log&& date> /tmp/time.stamp</command>
</localfile>
Note that the /tmp/time.stamp file will have a timestamp, proving
that thecommandwas successfully executed. In the local_decoder.xml
file, I added:
<decoder name="test">
<prematch>Test</prematch>
</decoder>
<decoder name="test-alert">
<parent>test</parent>
<regex>This(\.*)Test</regex>
<order>action</order>
</decoder>
In local_rules.xml, I added:
<group name="test">
<rule id="100800" level="0">
<decoded_as>test</decoded_as>
<description>Test</description>
</rule>
<rule id="100801" level="7">
<if_sid>100800</if_sid>
<description>Test alert</description>
</rule>
</group>
I created thelogfile (note that it is world-readable):
# ls -al /tmp/test.log
-rw-r--r-- 1 root root 92 2011-11-07 23:01 /tmp/test.log
# cat /tmp/test.log
This is a test.
This is a Test.
This is another Test.
This is a test with a lowercase 't'.
#
I restarted OSSEC, and found that thecommandran successfully:
# cat /tmp/time.stamp
Mon Nov 7 23:01:29 EST 2011
#
... but no alert was generated. I checked to make sure that the
decoder& rule was written correctly:
# /usr/local/bin/ossec-logtest
2011/11/07 23:08:34 ossec-testrule: INFO: Reading local decoder file.
2011/11/07 23:08:34 ossec-testrule: INFO: Started (pid: 25104).
ossec-testrule: Type onelogper line.
This is a Test.
**Phase 1: Completed pre-decoding.
full event: 'This is a Test.'
hostname: 'ossec_server'
program_name: '(null)'
log: 'This is a Test.'
**Phase 2: Completed decoding.
decoder: 'test'
action: ' is a '
**Phase 3: Completed filtering (rules).
Rule id: '100801'
Level: '7'
Description: 'Test alert'
**Alert to be generated.
Thus, the decoder& rule appear to be functional, thecommandis
successfully executed by OSSEC, but yet no alert appears. It would seem
that this is a bug. FYI, this is against OSSEC v2.5.1 (the changelog
for v2.6 doesn't mention this issue).
Might anyone have any suggestions on how to fix this, or should I
just patiently wait for the next revision?
Thanks,
- Joe
