On Thu, Feb 28, 2013 at 7:15 AM, root <[email protected]> wrote:
>
> so,thks
>
> i think that "extra_data" can match in rules after at <regex>
> :(
>
>
The problem is that you are not populating extra_data in your decoder.
You said you are using the following decoder:
<decoder name="rsyslog-pstats">
<program_name>^rsyslogd-pstats</program_name>
</decoder>
So running the log message through ossec-logtest with that decoder produces:
2013/02/28 09:02:42 ossec-testrule: INFO: Reading local decoder file.
2013/02/28 09:02:42 ossec-testrule: INFO: Started (pid: 7873).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '2013-02-27T19:06:08.807161+08:00 localhost
rsyslogd-pstats: imudp(*:514): submitted=0'
hostname: 'localhost'
program_name: 'rsyslogd-pstats'
log: 'imudp(*:514): submitted=0'
**Phase 2: Completed decoding.
decoder: 'rsyslog-pstats'
As you can see there is no extra_data field in Phase 2.
I think the decoder I provided the other day looked something like this:
<decoder name="rsyslog-pstats">
<program_name>^rsyslogd-pstats</program_name>
<regex>^\S+\p\S+:\d+\p: submitted=(\d+)$</regex>
<order>extra_data</order>
</decoder>
Using this decoder and the same log message I now get:
2013/02/28 09:06:17 ossec-testrule: INFO: Reading local decoder file.
2013/02/28 09:06:17 ossec-testrule: INFO: Started (pid: 19646).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '2013-02-27T19:06:08.807161+08:00 localhost
rsyslogd-pstats: imudp(*:514): submitted=0'
hostname: 'localhost'
program_name: 'rsyslogd-pstats'
log: 'imudp(*:514): submitted=0'
**Phase 2: Completed decoding.
decoder: 'rsyslog-pstats'
extra_data: '0'
As you can see the extra_data is now populated in Phase 2, and it
should be available for use in rules.
If you want to create an alert for 0 submitted widgets, you could do
something like this:
<rule id="200001" level="7">
<decoded_as>rsyslog-pstats</decoded_as>
<extra_data>0</extra_data>
<description>0 widgets!</description>
</rule>
> thanks&Best Regards
>
> 发件人: dan (ddp)
> 发送时间: 2013-02-28 19:32
> 收件人: ossec-list
> 主题: Re: [ossec-list] about ossec rules Regular Expression Syntax
>
>
> On Feb 28, 2013 6:26 AM, "root" <[email protected]> wrote:
>>
>> hi
>>
>> about this problem,look this
>>
>> my decoder is
>>
>>
>> <decoder name="rsyslog-pstats">
>> <program_name>^rsyslogd-pstats</program_name>
>> </decoder>
>>
>
> You aren't decoding an extra_data entey here, so your rule will never match.
> The second example I wrote for you decoded this properly.
>
>> my testrule is
>>
>> <group name="local,rsyslog,">
>> <rule id="1050001" level="7">
>> <decoded_as>rsyslog-pstats</decoded_as>
>> <regex>^\S+\s+\d+:\s+\S+\s+failed=(\d+)</regex>
>> <extra_data>0</extra_data>
>> <description>Rsyslog Failed</description>
>> </rule>
>> </group>
>>
>>
>> log test
>>
>> [root@localhost bin]# ./ossec-logtest
>> 2013/02/28 17:15:30 ossec-testrule: INFO: Reading local decoder file.
>> 2013/02/28 17:15:30 ossec-testrule: INFO: Started (pid: 12165).
>> ossec-testrule: Type one log per line.
>>
>> 2013-02-27T19:06:08.807156+08:00 localhost rsyslogd-pstats: action 7:
>> processed=0 failed=0
>>
>>
>> **Phase 1: Completed pre-decoding.
>> full event: '2013-02-27T19:06:08.807156+08:00 localhost
>> rsyslogd-pstats: action 7: processed=0 failed=0'
>> hostname: 'localhost'
>> program_name: 'rsyslogd-pstats'
>> log: 'action 7: processed=0 failed=0'
>>
>> **Phase 2: Completed decoding.
>> decoder: 'rsyslog-pstats'
>>
>> **Phase 3: Completed filtering (rules).
>> Rule id: '1002'
>> Level: '2'
>> Description: 'Unknown problem somewhere in the system.'
>>
>>
>> so,i think the rules has wrong,but i don't konw,what wrong with rule?
>>
>>
>>
>> thanks&Best
>> Regards
>> 发件人: root
>> 发送时间: 2013-02-28 15:40
>> 收件人: ossec-list
>> 主题: 回复: about ossec rules Regular Expression Syntax
>>
>> and what means is
>> <extra_data> in rules?
>> support it Regular Expression Syntax ?
>>
>> now my rules is
>>
>> <group name="local,rsyslog,">
>> <rule id="1050001" level="7">
>> <decoded_as>rsyslog-pstats</decoded_as>
>> <regex>^\S+\s+\d+:\s+\S+\s+failed=(\d+)</regex>
>> <extra_data>^[1-9]+</extra_data>
>> <description>Rsyslog Failed</description>
>> </rule>
>> </group>
>>
>> look like can not work?
>>
>>
>>
>>
>> thanks&Best
>> Regards
>>
>> 发件人: root
>> 发送时间: 2013-02-28 15:33
>> 收件人: ossec-list
>> 主题: about ossec rules Regular Expression Syntax
>> hi,all
>>
>> I got a question,that is about about ossec rules Regular Expression
>> Syntax .
>>
>> we konw,when i want match the number,i can use "\d" or "\d+"
>>
>> but now,if i has string like this
>>
>> "failed=0"=="failed=(\d+)"
>>
>> i want exclude "0", i use "failed=([1-9]+)",can not match it..
>>
>> how can i do?
>>
>>
>>
>>
>> thanks&Best
>> Regards
>>
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
