On Tue, Nov 8, 2011 at 9:23 AM, Joe Testa <[email protected]> wrote: > Hi all, > > I seem to have run into trouble using command log format handling. > There's a log file that contains XML which spans multiple lines, so I wrote > a Python script to flatten it so the agent process can pick up each entry > and send it to the server. That didn't work, so I tried copying the log > file to the server directly, but that didn't trigger an alert either. > > To debug this, I've greatly simplified the configuration so its easy to > try and reproduce. I can't even get it to "cat" a trivial file and kick off > a sample alert. > > I've set it up like so. To the ossec.conf file, I added the following > block: > > <localfile> > <location>/tmp/test.log</location> > <log_format>command</log_format> > <command>/bin/cat /tmp/test.log && date > /tmp/time.stamp</command> > </localfile> >
Have you tried it without the "&& date > /tmp/time.stamp"? > > Note that the /tmp/time.stamp file will have a timestamp, proving that the > command was successfully executed. In the local_decoder.xml file, I added: > > <decoder name="test"> > <prematch>Test</prematch> > </decoder> > > <decoder name="test-alert"> > <parent>test</parent> > <regex>This(\.*)Test</regex> > <order>action</order> > </decoder> > > > In local_rules.xml, I added: > > <group name="test"> > <rule id="100800" level="0"> > <decoded_as>test</decoded_as> > <description>Test</description> > </rule> > <rule id="100801" level="7"> > <if_sid>100800</if_sid> > <description>Test alert</description> > </rule> > </group> > You don't need to do that dance, unless you plan on making more rules. But for testing, it's easier not to do this. > > I created the log file (note that it is world-readable): > > # ls -al /tmp/test.log > -rw-r--r-- 1 root root 92 2011-11-07 23:01 /tmp/test.log > # cat /tmp/test.log > This is a test. > This is a Test. > This is another Test. > This is a test with a lowercase 't'. > # > > > I restarted OSSEC, and found that the command ran successfully: > > # cat /tmp/time.stamp > Mon Nov 7 23:01:29 EST 2011 > # > > ... but no alert was generated. I checked to make sure that the decoder & > rule was written correctly: > > # /usr/local/bin/ossec-logtest > 2011/11/07 23:08:34 ossec-testrule: INFO: Reading local decoder file. > 2011/11/07 23:08:34 ossec-testrule: INFO: Started (pid: 25104). > ossec-testrule: Type one log per line. > > This is a Test. > > > **Phase 1: Completed pre-decoding. > full event: 'This is a Test.' > hostname: 'ossec_server' > program_name: '(null)' > log: 'This is a Test.' > > **Phase 2: Completed decoding. > decoder: 'test' > action: ' is a ' > > **Phase 3: Completed filtering (rules). > Rule id: '100801' > Level: '7' > Description: 'Test alert' > **Alert to be generated. > > > Thus, the decoder & rule appear to be functional, the command is > successfully executed by OSSEC, but yet no alert appears. It would seem > that this is a bug. FYI, this is against OSSEC v2.5.1 (the changelog for > v2.6 doesn't mention this issue). > > Might anyone have any suggestions on how to fix this, or should I just > patiently wait for the next revision? > > Thanks, > - Joe >
