On Mar 6, 2013 4:35 AM, "root" <[email protected]> wrote:
>
>
> i think ossec rules has some problem,like
>
> <match>failed=</match>,means is all log has this word "failed=",so every
log can be match it!
>
>
Which is why you should put that rule first, and have the extra_data being
0 one if_sid that rule
>
>
> thanks&Best Regards
>
> From: root
> Date: 2013-03-06 19:30
> To: dan (ddp)
> Subject: Re: Re: [ossec-list] Re: how can i match nonzero in rules?
> hi,
>
> ok,let us see,this log
>
>
>
2013-03-04T18:29:31.772617+08:00 localhost rsyslogd-pstats: action 2:
processed=4421 failed=0
>
> i want match "failed=0",if "failed=0" means "rsyslog is ok" if not
"rsyslog has discarded"
>
>
> the decoder like this
>
>
> <decoder name="rsyslog-pstats">
> <program_name>^rsyslogd-pstats</program_name>
> </decoder>
>
> <decoder name="rsyslog-pstats-action">
> <parent>rsyslog-pstats</parent>
> <prematch>^action\s\d+</prematch>
> <regex offset="after_prematch">^\.*failed=(\d+)$</regex>
> <order>extra_data</order>
> </decoder>
>
>
> <decoder name="rsyslog-pstats-imuxsock">
> <parent>rsyslog-pstats</parent>
> <prematch>^imuxsock</prematch>
> <regex offset="after_prematch">^\.*discarded=(\d+)\s+\.*</regex>
> <order>extra_data</order>
> </decoder>
>
> <decoder name="rsyslog-pstats-main">
> <parent>rsyslog-pstats</parent>
> <prematch offset="after_parent">^main Q: </prematch>
> <regex offset="after_prematch">^\.+ discarded.full=(\d+)\s+discarded.nf
=(\d+)</regex>
> <order>extra_data, extra_data</order>
> </decoder>
>
>
> the rules like is
>
> <group name="rsyslog,">
>
> <rule id="105001" level="0">
> <decoded_as>rsyslog-pstats</decoded_as>
> <extra_data>^0</extra_data>
> <description>rsyslog is ok</description>
> </rule>
>
> <rule id="105002" level="13">
> <decoded_as>rsyslog-pstats</decoded_as>
> <match>failed=</match>
> <description>rsyslog has discarded</description>
> </rule>
>
> <rule id="105003" level="13">
> <decoded_as>rsyslog-pstats</decoded_as>
> <match>discarded.full=</match>
> <description>rsyslog has discarded</description>
> </rule>
>
> <rule id="105004" level="13">
> <decoded_as>rsyslog-pstats</decoded_as>
> <match>discarded=</match>
> <description>rsyslog has discarded</description>
> </rule>
> </group>
>
> and let us use ossec-logtest test the log,seem be ok!
>
> [root@localhost bin]# ./ossec-logtest
> 2013/03/06 19:24:58 ossec-testrule: INFO: Reading local decoder file.
> 2013/03/06 19:24:58 ossec-testrule: INFO: Started (pid: 18052).
> ossec-testrule: Type one log per line.
>
>
2013-03-04T18:29:31.772617+08:00 localhost rsyslogd-pstats: action 2:
processed=4421 failed=30
>
>
> **Phase 1: Completed pre-decoding.
>
full event: '2013-03-04T18:29:31.772617+08:00 localhost
rsyslogd-pstats: action 2: processed=4421 failed=30'
> hostname: 'localhost'
> program_name: 'rsyslogd-pstats'
> log: 'action 2: processed=4421 failed=30'
>
> **Phase 2: Completed decoding.
> decoder: 'rsyslog-pstats'
> extra_data: '30'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '105002'
> Level: '13'
> Description: 'rsyslog has discarded'
> **Alert to be generated.
>
>
>
2013-03-04T18:29:31.772617+08:00 localhost rsyslogd-pstats: action 2:
processed=4421 failed=0
>
>
> **Phase 1: Completed pre-decoding.
>
full event: '2013-03-04T18:29:31.772617+08:00 localhost
rsyslogd-pstats: action 2: processed=4421 failed=0'
> hostname: 'localhost'
> program_name: 'rsyslogd-pstats'
> log: 'action 2: processed=4421 failed=0'
>
> **Phase 2: Completed decoding.
> decoder: 'rsyslog-pstats'
> extra_data: '0'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '105001'
> Level: '0'
> Description: 'rsyslog is ok'
>
>
>
> but email alert say not!! email alert is
>
>
>
> OSSEC HIDS Notification.
> 2013 Mar 06 19:27:13
>
> Received From: localhost->/var/log/rsyslog-stats
> Rule: 105002 fired (level 13) -> "rsyslog has discarded"
> Portion of the log(s):
>
>
2013-03-06T19:27:13.304114+08:00 localhost rsyslogd-pstats: action 1:
processed=41904 failed=0
>
>
>
>
> thanks&Best Regards
>
> From: dan (ddp)
> Date: 2013-03-06 19:09
> To: root
> Subject: Re: Re: [ossec-list] Re: how can i match nonzero in rules?
>
>
> On Mar 6, 2013 12:04 AM, "root" <[email protected]> wrote:
> >
> >
> > hi,
> >
> > now my rules write like this
> >
> >
> > <group name="rsyslog,">
> >
> > <rule id="105001" level="0">
> > <decoded_as>rsyslog-pstats</decoded_as>
> > <extra_data>^0</extra_data>
> > <description>rsyslog is ok</description>
> > </rule>
> > <rule id="105002" level="13">
> > <decoded_as>rsyslog-pstats</decoded_as>
> > <match>failed=</match>
> > <description>rsyslog has discarded</description>
> > </rule>
> >
>
> I think you have these in the wrong order.
>
> > <rule id="105003" level="13">
> > <decoded_as>rsyslog-pstats</decoded_as>
> > <match>discarded.full=</match>
> > <description>rsyslog has discarded</description>
> > </rule>
> >
> > <rule id="105004" level="13">
> > <decoded_as>rsyslog-pstats</decoded_as>
> > <match>discarded=</match>
> > <description>rsyslog has discarded</description>
> > </rule>
> > </group>
> >
> >
> > but has many false alarm.
> >
> > like
> >
> >
> > OSSEC HIDS Notification.
> > 2013 Mar 06 14:56:13
> >
> > Received From: localhost->/var/log/rsyslog-stats
> > Rule: 105002 fired (level 13) -> "rsyslog has discarded"
> > Portion of the log(s):
> >
> >
2013-03-06T14:56:11.152153+08:00 localhost rsyslogd-pstats: action 1:
processed=22404 failed=0
> >
> >
> > you see,this is a false alarm,so,how?
> >
> >
> >
> >
> > thanks&Best Regards
> >
> > From: dan (ddp)
> > Date: 2013-03-06 07:48
> > To: ossec-list
> > Subject: Re: [ossec-list] Re: how can i match nonzero in rules?
> > On Mar 4, 2013 5:41 AM, "root" <[email protected]> wrote:
> > >
> > >
> > > hi
> > >
> > > i write rule like this
> > >
> > > <group name="rsyslog,">
> > >
> > > <rule id="105001" level="0">
> > > <decoded_as>rsyslog-pstats</decoded_as>
> > > <extra_data>^0</extra_data>
> > > <description>rsyslog is right</description>
> > > </rule>
> > >
> > > <rule id="105002" level="13">
> > > <decoded_as>rsyslog-pstats</decoded_as>
> > > <extra_data>^1</extra_data>
> > > <description>rsyslog is wrong</description>
> > > </rule>
> > >
> >
> > You'll have to replace rule [12] with the correct information. The
> > basic idea is to match any value, then eliminate the one you don't
> > want to see.
> > <rule 1>
> > <match>submitted=</match>
> > </rule 1>
> >
> > <rule 2 level="0">
> > <extra_data>0</extra_data>
> > </rule 2>
> >
> >
> > >
> > > </group>
> > >
> > >
> > > but the problem is if extra_data value like "21" can not match it....
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > thanks&Best Regards
> > >
> > > From: root
> > > Date: 2013-03-04 17:08
> > > To: ossec-list
> > > Subject: how can i match nonzero in rules?
> > > hi,
> > >
> > >
> >
> now i has match "discarded " value in rsyslog-stats,i want monitoring this if
> value is "0" no alert and if not alert it!
> > >
> > > so how can i do?
> > >
> > >
> > > thanks&Best Regards
> > >
> > > --
> > >
> > > ---
> >
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> >
> To unsubscribe from this group and stop receiving emails from it, send an
> email to
[email protected].
> > > For more options, visit https://groups.google.com/groups/opt_out.
> > >
> > >
> >
> > --
> >
> > ---
> >
You received this message because you are subscribed to the Google
Groups "ossec-list" group.
> >
To unsubscribe from this group and stop receiving emails from it, send
an email to
[email protected].
> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> >
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
