It's not quite an automated script, but it's here for future reference for
anyone who wants to improve it.
First command - get the last 'x' entries, strip the leading OSSEC data,
drop the rest into logtest, look for lines that do not hit a decoder, then
look for the log data line for that no-match. Save this to
~/decoderless_data
Second command - Run this a few times to stripe out noisy lines/alertrs
things you don't like or don't care about, save to decoderless_data.2
Last command - sort these by commonness (yes a data stamp in the log can
prevent grouping, but this line does help a bit), save to ~/decoderless_dat3
# tail -n 10000 /var/ossec/logs/archives/archives.log | sed 's/) /)/g' |
awk '{print substr($0, index($0,$6)) }' | /var/ossec/bin/ossec-logtest 2>&1
| grep "No decoder matched" -B3 | grep "log" | sed 's/^ log:..//g' >
~/decoderless_data
# cat ~/decoderless_data | egrep -v "(<<your string here>>)" >
decoderless_data.2
# cat decoderless_data.2 | sort -n | uniq -c | sort -n >
~/decoderless_data.
In the end, you have a file with the common lines that are not hitting a
decoder. This should help find 'new stuff'
I managed to get a few odds and sods, but not enough to really write
anything hugely useful, however I am going to look for logs examples on the
net for these devices and try and fill them out a bit, if they look useful
in the end I will post what I have.
Andy
