Apologies I just saw your nested rule , you are correct the parent should not be anything else than zero .
Cheers ! On Nov 17, 4:46 pm, Joe Testa <[email protected]> wrote: > Hi, > > If you notice, I showed that I used /usr/local/bin/ossec-logtest to > check that the rule works properly. It output "**Alert to be > generated.", which shows that the rule is set up correctly. > > I put in "<rule id="100800" level="0">" because (last I checked) > that's what the official docs say to do. The real rule is defined > directly underneath it. > > I have not been able to solve this problem yet. > > Thanks, > - Joe > > On 11/17/2011 09:10 AM, alsdks wrote: > > > > > > > > > Hello, > > > I believe you are ignoring your own alert in your rule specification: > > > <rule id="100800" level="0"> > > > level 0 does not generate an alert . Change that to something else and > > test again ... > > > Let me know if it worked I am very interested also! > > > Thank you > > BR > > > On Nov 8, 4:23 pm, Joe Testa<[email protected]> wrote: > >> Hi all, > > >> I seem to have run into trouble usingcommandlogformathandling. > >> There's alogfile that contains XML which spans multiple lines, so I > >> wrote a Python script to flatten it so the agent process can pick up > >> each entry and send it to the server. That didn't work, so I tried > >> copying thelogfile to the server directly, but that didn't trigger an > >> alert either. > > >> To debug this, I've greatly simplified the configuration so its easy > >> to try and reproduce. I can't even get it to "cat" a trivial file and > >> kick off a sample alert. > > >> I've set it up like so. To the ossec.conf file, I added the > >> following block: > > >> <localfile> > >> <location>/tmp/test.log</location> > >> <log_format>command</log_format> > >> <command>/bin/cat /tmp/test.log&& date> /tmp/time.stamp</command> > >> </localfile> > > >> Note that the /tmp/time.stamp file will have a timestamp, proving > >> that thecommandwas successfully executed. In the local_decoder.xml > >> file, I added: > > >> <decoder name="test"> > >> <prematch>Test</prematch> > >> </decoder> > > >> <decoder name="test-alert"> > >> <parent>test</parent> > >> <regex>This(\.*)Test</regex> > >> <order>action</order> > >> </decoder> > > >> In local_rules.xml, I added: > > >> <group name="test"> > >> <rule id="100800" level="0"> > >> <decoded_as>test</decoded_as> > >> <description>Test</description> > >> </rule> > >> <rule id="100801" level="7"> > >> <if_sid>100800</if_sid> > >> <description>Test alert</description> > >> </rule> > >> </group> > > >> I created thelogfile (note that it is world-readable): > > >> # ls -al /tmp/test.log > >> -rw-r--r-- 1 root root 92 2011-11-07 23:01 /tmp/test.log > >> # cat /tmp/test.log > >> This is a test. > >> This is a Test. > >> This is another Test. > >> This is a test with a lowercase 't'. > >> # > > >> I restarted OSSEC, and found that thecommandran successfully: > > >> # cat /tmp/time.stamp > >> Mon Nov 7 23:01:29 EST 2011 > >> # > > >> ... but no alert was generated. I checked to make sure that the > >> decoder& rule was written correctly: > > >> # /usr/local/bin/ossec-logtest > >> 2011/11/07 23:08:34 ossec-testrule: INFO: Reading local decoder file. > >> 2011/11/07 23:08:34 ossec-testrule: INFO: Started (pid: 25104). > >> ossec-testrule: Type onelogper line. > > >> This is a Test. > > >> **Phase 1: Completed pre-decoding. > >> full event: 'This is a Test.' > >> hostname: 'ossec_server' > >> program_name: '(null)' > >> log: 'This is a Test.' > > >> **Phase 2: Completed decoding. > >> decoder: 'test' > >> action: ' is a ' > > >> **Phase 3: Completed filtering (rules). > >> Rule id: '100801' > >> Level: '7' > >> Description: 'Test alert' > >> **Alert to be generated. > > >> Thus, the decoder& rule appear to be functional, thecommandis > >> successfully executed by OSSEC, but yet no alert appears. It would seem > >> that this is a bug. FYI, this is against OSSEC v2.5.1 (the changelog > >> for v2.6 doesn't mention this issue). > > >> Might anyone have any suggestions on how to fix this, or should I > >> just patiently wait for the next revision? > > >> Thanks, > >> - Joe
