hi
thks feedback,it good,it 's useful for me.
thanks&Best Regards
From: dan (ddp)
Date: 2013-02-27 21:43
To: ossec-list
Subject: Re: Re: [ossec-list] how to write decoder?
On Wed, Feb 27, 2013 at 7:54 AM, root <[email protected]> wrote:
> hi,
>
> it wrong,if i write this
>
> <decoder name="rsyslog">
> <program_name>^rsyslogd-pstats</program_name>
> <regex>^(.*)\s+rsyslogd-pstats:\s+(.*)</regex>
<regex> requires an <order>. I also don't think your regex is correct.
I'm also not sure what you're trying to get out of this, so this is
just a guess.
logtest:
2013/02/27 08:34:58 ossec-testrule: INFO: Reading local decoder file.
2013/02/27 08:34:58 ossec-testrule: INFO: Started (pid: 22204).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '2013-02-27T19:06:08.807161+08:00 localhost
rsyslogd-pstats: imudp(*:514): submitted=0'
hostname: 'localhost'
program_name: 'rsyslogd-pstats'
log: 'imudp(*:514): submitted=0'
**Phase 2: Completed decoding.
No decoder matched.
# vi /var/ossec/rules/local_rules.xml
# vi /var/ossec/etc/local_decoder.xml
# cat /tmp/jjj | /var/ossec/bin/ossec-logtest
2013/02/27 08:36:52 ossec-testrule: INFO: Reading local decoder file.
2013/02/27 08:36:53 ossec-testrule: INFO: Started (pid: 8890).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '2013-02-27T19:06:08.807161+08:00 localhost
rsyslogd-pstats: imudp(*:514): submitted=0'
hostname: 'localhost'
program_name: 'rsyslogd-pstats'
log: 'imudp(*:514): submitted=0'
**Phase 2: Completed decoding.
No decoder matched.
So the log we can work with is: imudp(*:514): submitted=0
We're going to ignore everything before that when dealing with regex
or prematch.
With a simple decoder:
<decoder name="rsyslog-pstats">
<program_name>^rsyslogd-pstats</program_name>
</decoder>
2013/02/27 08:41:13 ossec-testrule: INFO: Reading local decoder file.
2013/02/27 08:41:14 ossec-testrule: INFO: Started (pid: 4098).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '2013-02-27T19:06:08.807161+08:00 localhost
rsyslogd-pstats: imudp(*:514): submitted=0'
hostname: 'localhost'
program_name: 'rsyslogd-pstats'
log: 'imudp(*:514): submitted=0'
**Phase 2: Completed decoding.
No decoder matched.
# vi /var/ossec/etc/local_decoder.xml
# cat /tmp/jjj | /var/ossec/bin/ossec-logtest
2013/02/27 08:41:27 ossec-testrule: INFO: Reading local decoder file.
2013/02/27 08:41:27 ossec-testrule: INFO: Started (pid: 7828).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '2013-02-27T19:06:08.807161+08:00 localhost
rsyslogd-pstats: imudp(*:514): submitted=0'
hostname: 'localhost'
program_name: 'rsyslogd-pstats'
log: 'imudp(*:514): submitted=0'
**Phase 2: Completed decoding.
decoder: 'rsyslog-pstats'
But I want to know how many whatevers were submitted.
<decoder name="rsyslog-pstats">
<program_name>^rsyslogd-pstats</program_name>
<!-- I use \p instead of ( and ) because those mean things -->
<regex>^\S+\p\S+:\d+\p: submitted=(\d+)</regex>
<order>extra_data</order>
</decoder>
2013/02/27 08:42:55 ossec-testrule: INFO: Reading local decoder file.
2013/02/27 08:42:55 ossec-testrule: INFO: Started (pid: 32726).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '2013-02-27T19:06:08.807161+08:00 localhost
rsyslogd-pstats: imudp(*:514): submitted=0'
hostname: 'localhost'
program_name: 'rsyslogd-pstats'
log: 'imudp(*:514): submitted=0'
**Phase 2: Completed decoding.
decoder: 'rsyslog-pstats'
extra_data: '0'
ta-da!
> </decoder>
>
>
> ossec say
>
> 2013/02/27 20:52:59 ossec-analysisd(2107): ERROR: Decoder configuration
> error: 'rsyslog'.
> 2013/02/27 20:52:59 ossec-testrule(1202): ERROR: Configuration error at
> '/etc/decoder.xml'. Exiting.
>
>
>
>
>
> thanks&Best
> Regards
>
>
> From: dan (ddp)
> Date: 2013-02-27 20:40
> To: ossec-list
> Subject: Re: [ossec-list] how to write decoder?
>
>
> On Feb 27, 2013 7:27 AM, "root" <[email protected]> wrote:
>>
>> hi,all
>>
>> now, i write the decoder like this
>>
>> <decoder name="rsyslog">
>> <prematch>^(.*)\s+rsyslogd-pstats:\s+(.*)</prematch>
>
> This looks like an attempt at regex. I think the syntax is off, but I can't
> be sure without a sample.
>
>> <order>extra_data</order>
>
> You need a <regex>.
>
>> </decoder>
>>
>> but when i restart the ossec
>>
>> 2013/02/27 20:04:21 ossec-analysisd(2107): ERROR: Decoder configuration
>> error: 'rsyslog'.
>> 2013/02/27 20:04:21 ossec-testrule(1202): ERROR: Configuration error at
>> '/etc/decoder.xml'. Exiting.
>>
>> how can i do what?
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
