yes,i restart my ossec server,but the problem go on!
thanks&Best Regards From: dan (ddp) Date: 2013-03-06 21:35 To: root; ossec-list Subject: Re: Re: [ossec-list] Re: how can i match nonzero in rules? On Mar 6, 2013 4:30 AM, "root" <[email protected]> wrote: > > hi, > > ok,let us see,this log > > > 2013-03-04T18:29:31.772617+08:00 localhost rsyslogd-pstats: action 2: > processed=4421 failed=0 > > i want match "failed=0",if "failed=0" means "rsyslog is ok" if not "rsyslog > has discarded" > > > the decoder like this > > > <decoder name="rsyslog-pstats"> > <program_name>^rsyslogd-pstats</program_name> > </decoder> > > <decoder name="rsyslog-pstats-action"> > <parent>rsyslog-pstats</parent> > <prematch>^action\s\d+</prematch> > <regex offset="after_prematch">^\.*failed=(\d+)$</regex> > <order>extra_data</order> > </decoder> > > > <decoder name="rsyslog-pstats-imuxsock"> > <parent>rsyslog-pstats</parent> > <prematch>^imuxsock</prematch> > <regex offset="after_prematch">^\.*discarded=(\d+)\s+\.*</regex> > <order>extra_data</order> > </decoder> > > <decoder name="rsyslog-pstats-main"> > <parent>rsyslog-pstats</parent> > <prematch offset="after_parent">^main Q: </prematch> > <regex offset="after_prematch">^\.+ > discarded.full=(\d+)\s+discarded.nf=(\d+)</regex> > <order>extra_data, extra_data</order> > </decoder> > > > the rules like is > > <group name="rsyslog,"> > > <rule id="105001" level="0"> > <decoded_as>rsyslog-pstats</decoded_as> > <extra_data>^0</extra_data> > <description>rsyslog is ok</description> > </rule> > > <rule id="105002" level="13"> > <decoded_as>rsyslog-pstats</decoded_as> > <match>failed=</match> > <description>rsyslog has discarded</description> > </rule> > > <rule id="105003" level="13"> > <decoded_as>rsyslog-pstats</decoded_as> > <match>discarded.full=</match> > <description>rsyslog has discarded</description> > </rule> > > <rule id="105004" level="13"> > <decoded_as>rsyslog-pstats</decoded_as> > <match>discarded=</match> > <description>rsyslog has discarded</description> > </rule> > </group> > > and let us use ossec-logtest test the log,seem be ok! > > [root@localhost bin]# ./ossec-logtest > 2013/03/06 19:24:58 ossec-testrule: INFO: Reading local decoder file. > 2013/03/06 19:24:58 ossec-testrule: INFO: Started (pid: 18052). > ossec-testrule: Type one log per line. > > 2013-03-04T18:29:31.772617+08:00 localhost rsyslogd-pstats: action 2: > processed=4421 failed=30 > > > **Phase 1: Completed pre-decoding. > full event: '2013-03-04T18:29:31.772617+08:00 localhost > rsyslogd-pstats: action 2: processed=4421 failed=30' > hostname: 'localhost' > program_name: 'rsyslogd-pstats' > log: 'action 2: processed=4421 failed=30' > > **Phase 2: Completed decoding. > decoder: 'rsyslog-pstats' > extra_data: '30' > > **Phase 3: Completed filtering (rules). > Rule id: '105002' > Level: '13' > Description: 'rsyslog has discarded' > **Alert to be generated. > > > 2013-03-04T18:29:31.772617+08:00 localhost rsyslogd-pstats: action 2: > processed=4421 failed=0 > > > **Phase 1: Completed pre-decoding. > full event: '2013-03-04T18:29:31.772617+08:00 localhost > rsyslogd-pstats: action 2: processed=4421 failed=0' > hostname: 'localhost' > program_name: 'rsyslogd-pstats' > log: 'action 2: processed=4421 failed=0' > > **Phase 2: Completed decoding. > decoder: 'rsyslog-pstats' > extra_data: '0' > > **Phase 3: Completed filtering (rules). > Rule id: '105001' > Level: '0' > Description: 'rsyslog is ok' > > > > but email alert say not!! email alert is > > > > OSSEC HIDS Notification. > 2013 Mar 06 19:27:13 > > Received From: localhost->/var/log/rsyslog-stats > Rule: 105002 fired (level 13) -> "rsyslog has discarded" > Portion of the log(s): > > 2013-03-06T19:27:13.304114+08:00 localhost rsyslogd-pstats: action 1: > processed=41904 failed=0 > > > > > thanks&Best Regards > I can't play with this right now, but did you restart the ossec server processes? > From: dan (ddp) > Date: 2013-03-06 19:09 > To: root > Subject: Re: Re: [ossec-list] Re: how can i match nonzero in rules? > > > On Mar 6, 2013 12:04 AM, "root" <[email protected]> wrote: > > > > > > hi, > > > > now my rules write like this > > > > > > <group name="rsyslog,"> > > > > <rule id="105001" level="0"> > > <decoded_as>rsyslog-pstats</decoded_as> > > <extra_data>^0</extra_data> > > <description>rsyslog is ok</description> > > </rule> > > <rule id="105002" level="13"> > > <decoded_as>rsyslog-pstats</decoded_as> > > <match>failed=</match> > > <description>rsyslog has discarded</description> > > </rule> > > > > I think you have these in the wrong order. > > > <rule id="105003" level="13"> > > <decoded_as>rsyslog-pstats</decoded_as> > > <match>discarded.full=</match> > > <description>rsyslog has discarded</description> > > </rule> > > > > <rule id="105004" level="13"> > > <decoded_as>rsyslog-pstats</decoded_as> > > <match>discarded=</match> > > <description>rsyslog has discarded</description> > > </rule> > > </group> > > > > > > but has many false alarm. > > > > like > > > > > > OSSEC HIDS Notification. > > 2013 Mar 06 14:56:13 > > > > Received From: localhost->/var/log/rsyslog-stats > > Rule: 105002 fired (level 13) -> "rsyslog has discarded" > > Portion of the log(s): > > > > 2013-03-06T14:56:11.152153+08:00 localhost rsyslogd-pstats: action 1: > > processed=22404 failed=0 > > > > > > you see,this is a false alarm,so,how? > > > > > > > > > > thanks&Best Regards > > > > From: dan (ddp) > > Date: 2013-03-06 07:48 > > To: ossec-list > > Subject: Re: [ossec-list] Re: how can i match nonzero in rules? > > On Mar 4, 2013 5:41 AM, "root" <[email protected]> wrote: > > > > > > > > > hi > > > > > > i write rule like this > > > > > > <group name="rsyslog,"> > > > > > > <rule id="105001" level="0"> > > > <decoded_as>rsyslog-pstats</decoded_as> > > > <extra_data>^0</extra_data> > > > <description>rsyslog is right</description> > > > </rule> > > > > > > <rule id="105002" level="13"> > > > <decoded_as>rsyslog-pstats</decoded_as> > > > <extra_data>^1</extra_data> > > > <description>rsyslog is wrong</description> > > > </rule> > > > > > > > You'll have to replace rule [12] with the correct information. The > > basic idea is to match any value, then eliminate the one you don't > > want to see. > > <rule 1> > > <match>submitted=</match> > > </rule 1> > > > > <rule 2 level="0"> > > <extra_data>0</extra_data> > > </rule 2> > > > > > > > > > > </group> > > > > > > > > > but the problem is if extra_data value like "21" can not match it.... > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > thanks&Best Regards > > > > > > From: root > > > Date: 2013-03-04 17:08 > > > To: ossec-list > > > Subject: how can i match nonzero in rules? > > > hi, > > > > > > > > > now i has match "discarded " value in rsyslog-stats,i want monitoring > > > this if value is "0" no alert and if not alert it! > > > > > > so how can i do? > > > > > > > > > thanks&Best Regards > > > > > > -- > > > > > > --- > > > You received this message because you are subscribed to the Google Groups > > > "ossec-list" group. > > > To unsubscribe from this group and stop receiving emails from it, send an > > > email to [email protected]. > > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
