On Thu, Mar 7, 2013 at 11:20 AM, root <[email protected]> wrote: > > > this problem has go on,i has no idea! :( >
I think part of the problem is the multiple extra_data fields. Rename them in the <order> options so that each "order" is unique. > > > thanks&Best Regards > > From: root > Date: 2013-03-06 21:54 > To: dan (ddp); ossec-list > Subject: Re: Re: [ossec-list] Re: how can i match nonzero in rules? > > yes,i restart my ossec server,but the problem go on! > > > > > > > thanks&Best Regards > > From: dan (ddp) > Date: 2013-03-06 21:35 > To: root; ossec-list > Subject: Re: Re: [ossec-list] Re: how can i match nonzero in rules? > > > On Mar 6, 2013 4:30 AM, "root" <[email protected]> wrote: >> >> hi, >> >> ok,let us see,this log >> >> >> 2013-03-04T18:29:31.772617+08:00 localhost rsyslogd-pstats: action 2: >> processed=4421 failed=0 >> >> i want match "failed=0",if "failed=0" means "rsyslog is ok" if not >> "rsyslog has discarded" >> >> >> the decoder like this >> >> >> <decoder name="rsyslog-pstats"> >> <program_name>^rsyslogd-pstats</program_name> >> </decoder> >> >> <decoder name="rsyslog-pstats-action"> >> <parent>rsyslog-pstats</parent> >> <prematch>^action\s\d+</prematch> >> <regex offset="after_prematch">^\.*failed=(\d+)$</regex> >> <order>extra_data</order> >> </decoder> >> >> >> <decoder name="rsyslog-pstats-imuxsock"> >> <parent>rsyslog-pstats</parent> >> <prematch>^imuxsock</prematch> >> <regex offset="after_prematch">^\.*discarded=(\d+)\s+\.*</regex> >> <order>extra_data</order> >> </decoder> >> >> <decoder name="rsyslog-pstats-main"> >> <parent>rsyslog-pstats</parent> >> <prematch offset="after_parent">^main Q: </prematch> >> <regex offset="after_prematch">^\.+ >> discarded.full=(\d+)\s+discarded.nf=(\d+)</regex> >> <order>extra_data, extra_data</order> >> </decoder> >> >> >> the rules like is >> >> <group name="rsyslog,"> >> >> <rule id="105001" level="0"> >> <decoded_as>rsyslog-pstats</decoded_as> >> <extra_data>^0</extra_data> >> <description>rsyslog is ok</description> >> </rule> >> >> <rule id="105002" level="13"> >> <decoded_as>rsyslog-pstats</decoded_as> >> <match>failed=</match> >> <description>rsyslog has discarded</description> >> </rule> >> >> <rule id="105003" level="13"> >> <decoded_as>rsyslog-pstats</decoded_as> >> <match>discarded.full=</match> >> <description>rsyslog has discarded</description> >> </rule> >> >> <rule id="105004" level="13"> >> <decoded_as>rsyslog-pstats</decoded_as> >> <match>discarded=</match> >> <description>rsyslog has discarded</description> >> </rule> >> </group> >> >> and let us use ossec-logtest test the log,seem be ok! >> >> [root@localhost bin]# ./ossec-logtest >> 2013/03/06 19:24:58 ossec-testrule: INFO: Reading local decoder file. >> 2013/03/06 19:24:58 ossec-testrule: INFO: Started (pid: 18052). >> ossec-testrule: Type one log per line. >> >> 2013-03-04T18:29:31.772617+08:00 localhost rsyslogd-pstats: action 2: >> processed=4421 failed=30 >> >> >> **Phase 1: Completed pre-decoding. >> full event: '2013-03-04T18:29:31.772617+08:00 localhost >> rsyslogd-pstats: action 2: processed=4421 failed=30' >> hostname: 'localhost' >> program_name: 'rsyslogd-pstats' >> log: 'action 2: processed=4421 failed=30' >> >> **Phase 2: Completed decoding. >> decoder: 'rsyslog-pstats' >> extra_data: '30' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '105002' >> Level: '13' >> Description: 'rsyslog has discarded' >> **Alert to be generated. >> >> >> 2013-03-04T18:29:31.772617+08:00 localhost rsyslogd-pstats: action 2: >> processed=4421 failed=0 >> >> >> **Phase 1: Completed pre-decoding. >> full event: '2013-03-04T18:29:31.772617+08:00 localhost >> rsyslogd-pstats: action 2: processed=4421 failed=0' >> hostname: 'localhost' >> program_name: 'rsyslogd-pstats' >> log: 'action 2: processed=4421 failed=0' >> >> **Phase 2: Completed decoding. >> decoder: 'rsyslog-pstats' >> extra_data: '0' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '105001' >> Level: '0' >> Description: 'rsyslog is ok' >> >> >> >> but email alert say not!! email alert is >> >> >> >> OSSEC HIDS Notification. >> 2013 Mar 06 19:27:13 >> >> Received From: localhost->/var/log/rsyslog-stats >> Rule: 105002 fired (level 13) -> "rsyslog has discarded" >> Portion of the log(s): >> >> 2013-03-06T19:27:13.304114+08:00 localhost rsyslogd-pstats: action 1: >> processed=41904 failed=0 >> >> >> >> >> thanks&Best Regards >> > > I can't play with this right now, but did you restart the ossec server > processes? > >> From: dan (ddp) >> Date: 2013-03-06 19:09 >> To: root >> Subject: Re: Re: [ossec-list] Re: how can i match nonzero in rules? >> >> >> On Mar 6, 2013 12:04 AM, "root" <[email protected]> wrote: >> > >> > >> > hi, >> > >> > now my rules write like this >> > >> > >> > <group name="rsyslog,"> >> > >> > <rule id="105001" level="0"> >> > <decoded_as>rsyslog-pstats</decoded_as> >> > <extra_data>^0</extra_data> >> > <description>rsyslog is ok</description> >> > </rule> >> > <rule id="105002" level="13"> >> > <decoded_as>rsyslog-pstats</decoded_as> >> > <match>failed=</match> >> > <description>rsyslog has discarded</description> >> > </rule> >> > >> >> I think you have these in the wrong order. >> >> > <rule id="105003" level="13"> >> > <decoded_as>rsyslog-pstats</decoded_as> >> > <match>discarded.full=</match> >> > <description>rsyslog has discarded</description> >> > </rule> >> > >> > <rule id="105004" level="13"> >> > <decoded_as>rsyslog-pstats</decoded_as> >> > <match>discarded=</match> >> > <description>rsyslog has discarded</description> >> > </rule> >> > </group> >> > >> > >> > but has many false alarm. >> > >> > like >> > >> > >> > OSSEC HIDS Notification. >> > 2013 Mar 06 14:56:13 >> > >> > Received From: localhost->/var/log/rsyslog-stats >> > Rule: 105002 fired (level 13) -> "rsyslog has discarded" >> > Portion of the log(s): >> > >> > 2013-03-06T14:56:11.152153+08:00 localhost rsyslogd-pstats: action 1: >> > processed=22404 failed=0 >> > >> > >> > you see,this is a false alarm,so,how? >> > >> > >> > >> > >> > thanks&Best Regards >> > >> > From: dan (ddp) >> > Date: 2013-03-06 07:48 >> > To: ossec-list >> > Subject: Re: [ossec-list] Re: how can i match nonzero in rules? >> > On Mar 4, 2013 5:41 AM, "root" <[email protected]> wrote: >> > > >> > > >> > > hi >> > > >> > > i write rule like this >> > > >> > > <group name="rsyslog,"> >> > > >> > > <rule id="105001" level="0"> >> > > <decoded_as>rsyslog-pstats</decoded_as> >> > > <extra_data>^0</extra_data> >> > > <description>rsyslog is right</description> >> > > </rule> >> > > >> > > <rule id="105002" level="13"> >> > > <decoded_as>rsyslog-pstats</decoded_as> >> > > <extra_data>^1</extra_data> >> > > <description>rsyslog is wrong</description> >> > > </rule> >> > > >> > >> > You'll have to replace rule [12] with the correct information. The >> > basic idea is to match any value, then eliminate the one you don't >> > want to see. >> > <rule 1> >> > <match>submitted=</match> >> > </rule 1> >> > >> > <rule 2 level="0"> >> > <extra_data>0</extra_data> >> > </rule 2> >> > >> > >> > > >> > > </group> >> > > >> > > >> > > but the problem is if extra_data value like "21" can not match it.... >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > thanks&Best Regards >> > > >> > > From: root >> > > Date: 2013-03-04 17:08 >> > > To: ossec-list >> > > Subject: how can i match nonzero in rules? >> > > hi, >> > > >> > > >> > > now i has match "discarded " value in rsyslog-stats,i want monitoring >> > > this if value is "0" no alert and if not alert it! >> > > >> > > so how can i do? >> > > >> > > >> > > thanks&Best Regards >> > > >> > > -- >> > > >> > > --- >> > > You received this message because you are subscribed to the Google >> > > Groups "ossec-list" group. >> > > To unsubscribe from this group and stop receiving emails from it, send >> > > an email to [email protected]. >> > > For more options, visit https://groups.google.com/groups/opt_out. >> > > >> > > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
