hi OK,i konw that,thks. but now i have a new problem if i want assign non-zero value tigger alert,how can i do? in the rules,i write
"submitted=([^0]+)" or "submitted=([1-9]+)" all wrong! thanks&Best Regards 发件人: dan (ddp) 发送时间: 2013-02-28 22:13 收件人: ossec-list 主题: Re: [ossec-list] about ossec rules Regular Expression Syntax On Thu, Feb 28, 2013 at 7:15 AM, root <[email protected]> wrote: > > so,thks > > i think that "extra_data" can match in rules after at <regex> > :( > > The problem is that you are not populating extra_data in your decoder. You said you are using the following decoder: <decoder name="rsyslog-pstats"> <program_name>^rsyslogd-pstats</program_name> </decoder> So running the log message through ossec-logtest with that decoder produces: 2013/02/28 09:02:42 ossec-testrule: INFO: Reading local decoder file. 2013/02/28 09:02:42 ossec-testrule: INFO: Started (pid: 7873). ossec-testrule: Type one log per line. **Phase 1: Completed pre-decoding. full event: '2013-02-27T19:06:08.807161+08:00 localhost rsyslogd-pstats: imudp(*:514): submitted=0' hostname: 'localhost' program_name: 'rsyslogd-pstats' log: 'imudp(*:514): submitted=0' **Phase 2: Completed decoding. decoder: 'rsyslog-pstats' As you can see there is no extra_data field in Phase 2. I think the decoder I provided the other day looked something like this: <decoder name="rsyslog-pstats"> <program_name>^rsyslogd-pstats</program_name> <regex>^\S+\p\S+:\d+\p: submitted=(\d+)$</regex> <order>extra_data</order> </decoder> Using this decoder and the same log message I now get: 2013/02/28 09:06:17 ossec-testrule: INFO: Reading local decoder file. 2013/02/28 09:06:17 ossec-testrule: INFO: Started (pid: 19646). ossec-testrule: Type one log per line. **Phase 1: Completed pre-decoding. full event: '2013-02-27T19:06:08.807161+08:00 localhost rsyslogd-pstats: imudp(*:514): submitted=0' hostname: 'localhost' program_name: 'rsyslogd-pstats' log: 'imudp(*:514): submitted=0' **Phase 2: Completed decoding. decoder: 'rsyslog-pstats' extra_data: '0' As you can see the extra_data is now populated in Phase 2, and it should be available for use in rules. If you want to create an alert for 0 submitted widgets, you could do something like this: <rule id="200001" level="7"> <decoded_as>rsyslog-pstats</decoded_as> <extra_data>0</extra_data> <description>0 widgets!</description> </rule> > thanks&Best Regards > > 发件人: dan (ddp) > 发送时间: 2013-02-28 19:32 > 收件人: ossec-list > 主题: Re: [ossec-list] about ossec rules Regular Expression Syntax > > > On Feb 28, 2013 6:26 AM, "root" <[email protected]> wrote: >> >> hi >> >> about this problem,look this >> >> my decoder is >> >> >> <decoder name="rsyslog-pstats"> >> <program_name>^rsyslogd-pstats</program_name> >> </decoder> >> > > You aren't decoding an extra_data entey here, so your rule will never match. > The second example I wrote for you decoded this properly. > >> my testrule is >> >> <group name="local,rsyslog,"> >> <rule id="1050001" level="7"> >> <decoded_as>rsyslog-pstats</decoded_as> >> <regex>^\S+\s+\d+:\s+\S+\s+failed=(\d+)</regex> >> <extra_data>0</extra_data> >> <description>Rsyslog Failed</description> >> </rule> >> </group> >> >> >> log test >> >> [root@localhost bin]# ./ossec-logtest >> 2013/02/28 17:15:30 ossec-testrule: INFO: Reading local decoder file. >> 2013/02/28 17:15:30 ossec-testrule: INFO: Started (pid: 12165). >> ossec-testrule: Type one log per line. >> >> 2013-02-27T19:06:08.807156+08:00 localhost rsyslogd-pstats: action 7: >> processed=0 failed=0 >> >> >> **Phase 1: Completed pre-decoding. >> full event: '2013-02-27T19:06:08.807156+08:00 localhost >> rsyslogd-pstats: action 7: processed=0 failed=0' >> hostname: 'localhost' >> program_name: 'rsyslogd-pstats' >> log: 'action 7: processed=0 failed=0' >> >> **Phase 2: Completed decoding. >> decoder: 'rsyslog-pstats' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '1002' >> Level: '2' >> Description: 'Unknown problem somewhere in the system.' >> >> >> so,i think the rules has wrong,but i don't konw,what wrong with rule? >> >> >> >> thanks&Best >> Regards >> 发件人: root >> 发送时间: 2013-02-28 15:40 >> 收件人: ossec-list >> 主题: 回复: about ossec rules Regular Expression Syntax >> >> and what means is >> <extra_data> in rules? >> support it Regular Expression Syntax ? >> >> now my rules is >> >> <group name="local,rsyslog,"> >> <rule id="1050001" level="7"> >> <decoded_as>rsyslog-pstats</decoded_as> >> <regex>^\S+\s+\d+:\s+\S+\s+failed=(\d+)</regex> >> <extra_data>^[1-9]+</extra_data> >> <description>Rsyslog Failed</description> >> </rule> >> </group> >> >> look like can not work? >> >> >> >> >> thanks&Best >> Regards >> >> 发件人: root >> 发送时间: 2013-02-28 15:33 >> 收件人: ossec-list >> 主题: about ossec rules Regular Expression Syntax >> hi,all >> >> I got a question,that is about about ossec rules Regular Expression >> Syntax . >> >> we konw,when i want match the number,i can use "\d" or "\d+" >> >> but now,if i has string like this >> >> "failed=0"=="failed=(\d+)" >> >> i want exclude "0", i use "failed=([1-9]+)",can not match it.. >> >> how can i do? >> >> >> >> >> thanks&Best >> Regards >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
