On Mon, Feb 13, 2012 at 3:25 PM, <[email protected]> wrote: > I have an ESX server sending syslog to a central log server that has an OSSEC > agent running. > > I configured the agent to read that file: > > <localfile> > <log_format>syslog</log_format> > <location>/stuff/log/vmwareserver/vm-%Y%m%d.log</location> > </localfile> > > The logs go in to syslog-ng on the OSSEC system, and then are written to a > daily logfile, which I intend to be read/monitored. > > I have rules being loaded: > > <include>vmware_rules.xml</include> > <include>vmware_esxi_rules.xml</include> > > My local_decoder has Wim's ESXi decoders, a general ESXi decoder, an > alternative login decoder, and a few others that I found via searches of the > archives and repositories. > > They seem to work fine (at least the ones I want to work) when I run them > through ossec-logtest. The problem is, I'm struggling to get a rule that > will fire on it. > > Testing the decoder: > > <!-- state transition decoder --> > <decoder name="esxi-state-transition"> > <parent>esxi</parent> > <prematch>State Transition (\S+ -> \S+)</prematch> > <regex>State Transition (\(\S+) -> (\S+)\)</regex> > <order>status, action</order> > </decoder> > > ...using the example provided with it: > > Mar 21 19:17:02 192.168.1.2 Hostd: [2011-03-21 19:17:02.053 4A4DDB90 > info 'vm:/vmfs/volumes/4d5ab801-a3984e3b-3c46-0014221a2fc4/WIN03/WIN03.vmx'] > State Transition (VM_STATE_REVERT_SNAPSHOT -> VM_STATE_ON) > > The ossec-logtest: > > **Phase 1: Completed pre-decoding. > full event: 'Mar 21 19:17:02 192.168.1.2 Hostd: [2011-03-21 > 19:17:02.053 4A4DDB90 info > 'vm:/vmfs/volumes/4d5ab801-a3984e3b-3c46-0014221a2fc4/WIN03/WIN03.vmx'] State > Transition (VM_STATE_REVERT_SNAPSHOT -> VM_STATE_ON)' > hostname: '192.168.1.2' > program_name: 'Hostd' > log: '[2011-03-21 19:17:02.053 4A4DDB90 info > 'vm:/vmfs/volumes/4d5ab801-a3984e3b-3c46-0014221a2fc4/WIN03/WIN03.vmx'] State > Transition (VM_STATE_REVERT_SNAPSHOT -> VM_STATE_ON)' > > **Phase 2: Completed decoding. > decoder: 'esxi' > status: '(VM_STATE_REVERT_SNAPSHOT' > action: 'VM_STATE_ON)' > > **Phase 3: Completed filtering (rules). > Rule id: '490101' > Level: '1' > Description: 'Grouping for esxi hostd logs.' > **Alert to be generated. > > Shouldn't this match the 'esxi-state-transition' decoder as well? >
It looks like it does. status and action are both decoded, so unless that's happening in another decoder, "esxi-state-transition" seems to match.
