On Mar 6, 2013 6:48 AM, "root" <[email protected]> wrote: > > > you means that i must write ? > > > > <rule id="105001" level="13"> > <decoded_as>rsyslog-pstats</decoded_as> > <match>failed=</match> > <description>rsyslog has discarded</description> > </rule> > > <rule id="105002" level="0"> > <decoded_as>rsyslog-pstats</decoded_as> > <extra_data>^0</extra_data> > <description>rsyslog is ok</description> > </rule> > > > or ? > >
I would tey the one below. 105001 makes sure failed= is in the message, and 105002 ignored messages with a 0 in extra data. > <rule id="105001" level="13"> > <decoded_as>rsyslog-pstats</decoded_as> > <match>failed=</match> > <description>rsyslog has discarded</description> > </rule> > > <rule id="105002" level="0"> > <if_sid>105001<if_sid> > <decoded_as>rsyslog-pstats</decoded_as> > <extra_data>^0</extra_data> > <description>rsyslog is ok</description> > </rule> > > > > > thanks&Best Regards > > From: dan (ddp) > Date: 2013-03-06 21:36 > To: root; ossec-list > Subject: Re: Re: [ossec-list] Re: how can i match nonzero in rules? > > > On Mar 6, 2013 4:35 AM, "root" <[email protected]> wrote: > > > > > > i think ossec rules has some problem,like > > > > <match>failed=</match>,means is all log has this word "failed=",so every log can be match it! > > > > > > Which is why you should put that rule first, and have the extra_data being 0 one if_sid that rule > > > > > > > thanks&Best Regards > > > > From: root > > Date: 2013-03-06 19:30 > > To: dan (ddp) > > Subject: Re: Re: [ossec-list] Re: how can i match nonzero in rules? > > hi, > > > > ok,let us see,this log > > > > > > 2013-03-04T18:29:31.772617+08:00 localhost rsyslogd-pstats: action 2: processed=4421 failed=0 > > > > i want match "failed=0",if "failed=0" means "rsyslog is ok" if not "rsyslog has discarded" > > > > > > the decoder like this > > > > > > <decoder name="rsyslog-pstats"> > > <program_name>^rsyslogd-pstats</program_name> > > </decoder> > > > > <decoder name="rsyslog-pstats-action"> > > <parent>rsyslog-pstats</parent> > > <prematch>^action\s\d+</prematch> > > <regex offset="after_prematch">^\.*failed=(\d+)$</regex> > > <order>extra_data</order> > > </decoder> > > > > > > <decoder name="rsyslog-pstats-imuxsock"> > > <parent>rsyslog-pstats</parent> > > <prematch>^imuxsock</prematch> > > <regex offset="after_prematch">^\.*discarded=(\d+)\s+\.*</regex> > > <order>extra_data</order> > > </decoder> > > > > <decoder name="rsyslog-pstats-main"> > > <parent>rsyslog-pstats</parent> > > <prematch offset="after_parent">^main Q: </prematch> > > <regex offset="after_prematch">^\.+ discarded.full=(\d+)\s+ discarded.nf=(\d+)</regex> > > <order>extra_data, extra_data</order> > > </decoder> > > > > > > the rules like is > > > > <group name="rsyslog,"> > > > > <rule id="105001" level="0"> > > <decoded_as>rsyslog-pstats</decoded_as> > > <extra_data>^0</extra_data> > > <description>rsyslog is ok</description> > > </rule> > > > > <rule id="105002" level="13"> > > <decoded_as>rsyslog-pstats</decoded_as> > > <match>failed=</match> > > <description>rsyslog has discarded</description> > > </rule> > > > > <rule id="105003" level="13"> > > <decoded_as>rsyslog-pstats</decoded_as> > > <match>discarded.full=</match> > > <description>rsyslog has discarded</description> > > </rule> > > > > <rule id="105004" level="13"> > > <decoded_as>rsyslog-pstats</decoded_as> > > <match>discarded=</match> > > <description>rsyslog has discarded</description> > > </rule> > > </group> > > > > and let us use ossec-logtest test the log,seem be ok! > > > > [root@localhost bin]# ./ossec-logtest > > 2013/03/06 19:24:58 ossec-testrule: INFO: Reading local decoder file. > > 2013/03/06 19:24:58 ossec-testrule: INFO: Started (pid: 18052). > > ossec-testrule: Type one log per line. > > > > 2013-03-04T18:29:31.772617+08:00 localhost rsyslogd-pstats: action 2: processed=4421 failed=30 > > > > > > **Phase 1: Completed pre-decoding. > > full event: '2013-03-04T18:29:31.772617+08:00 localhost rsyslogd-pstats: action 2: processed=4421 failed=30' > > hostname: 'localhost' > > program_name: 'rsyslogd-pstats' > > log: 'action 2: processed=4421 failed=30' > > > > **Phase 2: Completed decoding. > > decoder: 'rsyslog-pstats' > > extra_data: '30' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '105002' > > Level: '13' > > Description: 'rsyslog has discarded' > > **Alert to be generated. > > > > > > 2013-03-04T18:29:31.772617+08:00 localhost rsyslogd-pstats: action 2: processed=4421 failed=0 > > > > > > **Phase 1: Completed pre-decoding. > > full event: '2013-03-04T18:29:31.772617+08:00 localhost rsyslogd-pstats: action 2: processed=4421 failed=0' > > hostname: 'localhost' > > program_name: 'rsyslogd-pstats' > > log: 'action 2: processed=4421 failed=0' > > > > **Phase 2: Completed decoding. > > decoder: 'rsyslog-pstats' > > extra_data: '0' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '105001' > > Level: '0' > > Description: 'rsyslog is ok' > > > > > > > > but email alert say not!! email alert is > > > > > > > > OSSEC HIDS Notification. > > 2013 Mar 06 19:27:13 > > > > Received From: localhost->/var/log/rsyslog-stats > > Rule: 105002 fired (level 13) -> "rsyslog has discarded" > > Portion of the log(s): > > > > 2013-03-06T19:27:13.304114+08:00 localhost rsyslogd-pstats: action 1: processed=41904 failed=0 > > > > > > > > > > thanks&Best Regards > > > > From: dan (ddp) > > Date: 2013-03-06 19:09 > > To: root > > Subject: Re: Re: [ossec-list] Re: how can i match nonzero in rules? > > > > > > On Mar 6, 2013 12:04 AM, "root" <[email protected]> wrote: > > > > > > > > > hi, > > > > > > now my rules write like this > > > > > > > > > <group name="rsyslog,"> > > > > > > <rule id="105001" level="0"> > > > <decoded_as>rsyslog-pstats</decoded_as> > > > <extra_data>^0</extra_data> > > > <description>rsyslog is ok</description> > > > </rule> > > > <rule id="105002" level="13"> > > > <decoded_as>rsyslog-pstats</decoded_as> > > > <match>failed=</match> > > > <description>rsyslog has discarded</description> > > > </rule> > > > > > > > I think you have these in the wrong order. > > > > > <rule id="105003" level="13"> > > > <decoded_as>rsyslog-pstats</decoded_as> > > > <match>discarded.full=</match> > > > <description>rsyslog has discarded</description> > > > </rule> > > > > > > <rule id="105004" level="13"> > > > <decoded_as>rsyslog-pstats</decoded_as> > > > <match>discarded=</match> > > > <description>rsyslog has discarded</description> > > > </rule> > > > </group> > > > > > > > > > but has many false alarm. > > > > > > like > > > > > > > > > OSSEC HIDS Notification. > > > 2013 Mar 06 14:56:13 > > > > > > Received From: localhost->/var/log/rsyslog-stats > > > Rule: 105002 fired (level 13) -> "rsyslog has discarded" > > > Portion of the log(s): > > > > > > 2013-03-06T14:56:11.152153+08:00 localhost rsyslogd-pstats: action 1: processed=22404 failed=0 > > > > > > > > > you see,this is a false alarm,so,how? > > > > > > > > > > > > > > > thanks&Best Regards > > > > > > From: dan (ddp) > > > Date: 2013-03-06 07:48 > > > To: ossec-list > > > Subject: Re: [ossec-list] Re: how can i match nonzero in rules? > > > On Mar 4, 2013 5:41 AM, "root" <[email protected]> wrote: > > > > > > > > > > > > hi > > > > > > > > i write rule like this > > > > > > > > <group name="rsyslog,"> > > > > > > > > <rule id="105001" level="0"> > > > > <decoded_as>rsyslog-pstats</decoded_as> > > > > <extra_data>^0</extra_data> > > > > <description>rsyslog is right</description> > > > > </rule> > > > > > > > > <rule id="105002" level="13"> > > > > <decoded_as>rsyslog-pstats</decoded_as> > > > > <extra_data>^1</extra_data> > > > > <description>rsyslog is wrong</description> > > > > </rule> > > > > > > > > > > You'll have to replace rule [12] with the correct information. The > > > basic idea is to match any value, then eliminate the one you don't > > > want to see. > > > <rule 1> > > > <match>submitted=</match> > > > </rule 1> > > > > > > <rule 2 level="0"> > > > <extra_data>0</extra_data> > > > </rule 2> > > > > > > > > > > > > > > </group> > > > > > > > > > > > > but the problem is if extra_data value like "21" can not match it.... > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > thanks&Best Regards > > > > > > > > From: root > > > > Date: 2013-03-04 17:08 > > > > To: ossec-list > > > > Subject: how can i match nonzero in rules? > > > > hi, > > > > > > > > > > > > now i has match "discarded " value in rsyslog-stats,i want monitoring this if > value is "0" no alert and if not alert it! > > > > > > > > so how can i do? > > > > > > > > > > > > thanks&Best Regards > > > > > > > > -- > > > > > > > > --- > > > > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > > > > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > > > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > > > > > > > > > -- > > > > > > --- > > > You received this message because you are subscribed to the Google Groups "ossec-list" group. > > > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
