Hi,
I'm using
<localfile>
<log_format>command</log_format>
<command>last -i</command>
</localfile>
After setting the config, you could see
/var/ossec/logs/archives/archives.log shows
2011 Nov 30 15:25:40 ubuntu->last -i ossec: output: 'last -i': hubert
pts/0 192.168.111.1 Wed Nov 30 14:55 still logged in
So for local_decoder.xml
<decoder name="ossec-command-last">
<parent>ossec</parent>
<use_own_name>true</use_own_name>
<type>ossec</type>
<prematch offset="after_parent">^output: 'last -i': </prematch>
<regex offset="after_prematch">^(\S+)\s+\S+\s+(\S+)</regex>
<order>user, srcip</order>
</decoder>
You can use /var/ossec/bin/ossec-logtest to test your decoder
ubuntu [~ossec/etc] -root- [W] /var/ossec/bin/ossec-logtest
2011/11/30 15:53:37 ossec-testrule: INFO: Reading local decoder file.
2011/11/30 15:53:37 ossec-testrule: INFO: Started (pid: 3510).
ossec-testrule: Type one log per line.
ossec: output: 'last -i': hubert pts/0 192.168.111.1 Wed
Nov 30 14:55 still logged in
**Phase 1: Completed pre-decoding.
full event: 'ossec: output: 'last -i': hubert pts/0
192.168.111.1 Wed Nov 30 14:55 still logged in'
hostname: 'ubuntu'
program_name: '(null)'
log: 'ossec: output: 'last -i': hubert pts/0
192.168.111.1 Wed Nov 30 14:55 still logged in'
**Phase 2: Completed decoding.
decoder: 'ossec'
dstuser: 'hubert'
srcip: '192.168.111.1'
Hubert
On Thu, Nov 17, 2011 at 7:34 PM, alsdks <[email protected]> wrote:
> Hello all,
>
> Is it possible to write a decoder for the output of a command ?
>
> For example I have set up this command
>
> <localfile>
> <log_format>command</log_format>
> <command>last</command>
> </localfile>
>
> and would like to decode the output to get the source IP and later
> compare it to a cdb list in rule
> to alert when no match is found against that list .
>
> Am I completely off on this ?
>
> Thank you
