i use "ossec-logtest" to test is ok
./ossec-logtest
2013-03-04T18:35:12.032354+08:00 localhost rsyslogd-pstats: main Q: size=11
enqueued=40937 full=0 discarded.full=0 discarded.nf=0 maxqsize=1441
**Phase 1: Completed pre-decoding.
full event: '2013-03-04T18:35:12.032354+08:00 localhost rsyslogd-pstats:
main Q: size=11 enqueued=40937 full=0 discarded.full=0 discarded.nf=0
maxqsize=1441'
hostname: 'localhost'
program_name: 'rsyslogd-pstats'
log: 'main Q: size=11 enqueued=40937 full=0 discarded.full=0
discarded.nf=0 maxqsize=1441'
**Phase 2: Completed decoding.
decoder: 'rsyslog-pstats'
extra_data: '0'
extra_data: '0'
**Phase 3: Completed filtering (rules).
Rule id: '105001'
Level: '0'
Description: 'rsyslog is ok'
2013-03-04T18:35:12.032354+08:00 localhost rsyslogd-pstats: main Q: size=11
enqueued=40937 full=0 discarded.full=0 discarded.nf=12 maxqsize=1441
**Phase 1: Completed pre-decoding.
full event: '2013-03-04T18:35:12.032354+08:00 localhost rsyslogd-pstats:
main Q: size=11 enqueued=40937 full=0 discarded.full=0 discarded.nf=12
maxqsize=1441'
hostname: 'localhost'
program_name: 'rsyslogd-pstats'
log: 'main Q: size=11 enqueued=40937 full=0 discarded.full=0
discarded.nf=12 maxqsize=1441'
**Phase 2: Completed decoding.
decoder: 'rsyslog-pstats'
extra_data: '0'
extra_data: '12'
**Phase 3: Completed filtering (rules).
Rule id: '105003'
Level: '13'
Description: 'rsyslog has discarded'
**Alert to be generated.
why??
thanks&Best Regards
From: root
Date: 2013-03-06 15:04
To: ossec-list
CC: ddpbsd
Subject: Re: Re: [ossec-list] Re: how can i match nonzero in rules?
hi,
now my rules write like this
<group name="rsyslog,">
<rule id="105001" level="0">
<decoded_as>rsyslog-pstats</decoded_as>
<extra_data>^0</extra_data>
<description>rsyslog is ok</description>
</rule>
<rule id="105002" level="13">
<decoded_as>rsyslog-pstats</decoded_as>
<match>failed=</match>
<description>rsyslog has discarded</description>
</rule>
<rule id="105003" level="13">
<decoded_as>rsyslog-pstats</decoded_as>
<match>discarded.full=</match>
<description>rsyslog has discarded</description>
</rule>
<rule id="105004" level="13">
<decoded_as>rsyslog-pstats</decoded_as>
<match>discarded=</match>
<description>rsyslog has discarded</description>
</rule>
</group>
but has many false alarm.
like
OSSEC HIDS Notification.
2013 Mar 06 14:56:13
Received From: localhost->/var/log/rsyslog-stats
Rule: 105002 fired (level 13) -> "rsyslog has discarded"
Portion of the log(s):
2013-03-06T14:56:11.152153+08:00 localhost rsyslogd-pstats: action 1:
processed=22404 failed=0
you see,this is a false alarm,so,how?
thanks&Best Regards
From: dan (ddp)
Date: 2013-03-06 07:48
To: ossec-list
Subject: Re: [ossec-list] Re: how can i match nonzero in rules?
On Mar 4, 2013 5:41 AM, "root" <[email protected]> wrote:
>
>
> hi
>
> i write rule like this
>
> <group name="rsyslog,">
>
> <rule id="105001" level="0">
> <decoded_as>rsyslog-pstats</decoded_as>
> <extra_data>^0</extra_data>
> <description>rsyslog is right</description>
> </rule>
>
> <rule id="105002" level="13">
> <decoded_as>rsyslog-pstats</decoded_as>
> <extra_data>^1</extra_data>
> <description>rsyslog is wrong</description>
> </rule>
>
You'll have to replace rule [12] with the correct information. The
basic idea is to match any value, then eliminate the one you don't
want to see.
<rule 1>
<match>submitted=</match>
</rule 1>
<rule 2 level="0">
<extra_data>0</extra_data>
</rule 2>
>
> </group>
>
>
> but the problem is if extra_data value like "21" can not match it....
>
>
>
>
>
>
>
>
>
> thanks&Best Regards
>
> From: root
> Date: 2013-03-04 17:08
> To: ossec-list
> Subject: how can i match nonzero in rules?
> hi,
>
>
> now i has match "discarded " value in rsyslog-stats,i want monitoring this if
> value is "0" no alert and if not alert it!
>
> so how can i do?
>
>
> thanks&Best Regards
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
