I just copy/pasted those contents into my own local_decoder.xml and it worked fine. I guess you could try tracing the application to see why it isn't reading that file. Maybe check selinux logs to see if that's blocking access...
On Thu, Mar 14, 2013 at 10:17 AM, S Pratap Singh <[email protected]> wrote: > cat local_decoder.xml > <decoder name="pure-transfer"> > <prematch>^\S+ - \S+ [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d > -\d\d\d\d]</prematch> > <regex>^(\S+) - (\S+) [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] > "(\S+) (\.+) (\d+) \d+$</regex> > <order>extra_data,dstuser,action,url,status</order> > </decoder> > > cat /etc/issue > CentOS release 6.3 (Final) > > 32 bit > > Log file which is storing the transfer log is : > /var/log/pure-ftpd/transfer.log > > > On Thu, Mar 14, 2013 at 7:41 PM, dan (ddp) <[email protected]> wrote: >> >> On Thu, Mar 14, 2013 at 9:59 AM, S Pratap Singh <[email protected]> >> wrote: >> > ll /var/ossec/etc/local_decoder.xml >> > -r--r----- 1 root ossec 262 Mar 14 18:39 >> > /var/ossec/etc/local_decoder.xml >> > >> > ll /var/ossec/etc/decoder.xml >> > -r--r----- 1 root ossec 88975 Jul 12 2011 /var/ossec/etc/decoder.xml >> > >> > It's a server installation. >> > >> >> Please provide the entire local_decoder.xml file. What >> OS/distro/version are you using? >> >> > On Thu, Mar 14, 2013 at 7:25 PM, dan (ddp) <[email protected]> wrote: >> >> >> >> On Thu, Mar 14, 2013 at 9:49 AM, S Pratap Singh <[email protected]> >> >> wrote: >> >> > Yes , decoder pure-transfer I had defined in "local_decoder.xml" file >> >> > but it >> >> > was not detecting it. To fix the issue I have configured changed the >> >> > log >> >> > settings for my ftp server to log all the event in syslog file and >> >> > enabled >> >> > rule id 1304 to match upload and download. It worked for me. >> >> > >> >> > I am not sure why it was not detecting the decoder "pure-transfer" >> >> > defined >> >> > in the file "local_decoder.xml" . >> >> > >> >> >> >> What are the permissions on /var/ossec/etc/local_decoder.xml? >> >> Permissions on /var/ossec/etc/decoder.xml? Is this a server, agent, or >> >> local installation? >> >> >> >> > >> >> > >> >> > On Thu, Mar 14, 2013 at 6:51 PM, S Pratap Singh <[email protected]> >> >> > wrote: >> >> >> >> >> >> Thanks for the help Dan.. I have fixed the issue and everything >> >> >> works >> >> >> perfectly .. :) >> >> >> >> >> >> >> >> >> On Thu, Mar 14, 2013 at 2:11 PM, S Pratap Singh <[email protected]> >> >> >> wrote: >> >> >>> >> >> >>> Hi Dan, >> >> >>> >> >> >>> Things are working fine now. But I have another problem, now I am >> >> >>> getting >> >> >>> most of the alert for FTP activity excluding file upload and >> >> >>> download >> >> >>> alert. >> >> >>> The rule which you have given works fine but when I restart Ossec I >> >> >>> am >> >> >>> getting the following error : >> >> >>> >> >> >>> 2013/03/14 12:38:18 ossec-analysisd: Invalid decoder name: >> >> >>> 'pure-transfer'. >> >> >>> 2013/03/14 12:38:18 ossec-analysisd(1220): ERROR: Error loading the >> >> >>> rules: 'local_rules.xml'. >> >> >>> 2013/03/14 12:38:21 ossec-remoted(1210): ERROR: Queue >> >> >>> '/queue/ossec/queue' not accessible: 'Connection refused'. >> >> >>> 2013/03/14 12:38:21 ossec-remoted(1211): ERROR: Unable to access >> >> >>> queue: >> >> >>> '/queue/ossec/queue'. Giving up.. >> >> >>> >> >> >>> So there is two problem I am facing currently : >> >> >>> 1 Not getting alert for upload and download since this is getting >> >> >>> logged >> >> >>> into another file and not into syslog file. >> >> >>> 2 facing the issue with restart of ossec server. >> >> >>> >> >> >>> Thanks for your input and help so far. >> >> >>> >> >> >>> On Thu, Mar 14, 2013 at 2:58 AM, dan (ddp) <[email protected]> >> >> >>> wrote: >> >> >>>> >> >> >>>> On Wed, Mar 13, 2013 at 7:43 AM, S Pratap Singh >> >> >>>> <[email protected]> >> >> >>>> wrote: >> >> >>>> > All fixed but I am not getting alert to my mail box for FTP >> >> >>>> > activity >> >> >>>> > as >> >> >>>> > other alerts. >> >> >>>> > >> >> >>>> >> >> >>>> Are you getting other alerts in your email? >> >> >>>> Do you have access to the maillogs? If so, check to see if the >> >> >>>> mail >> >> >>>> is >> >> >>>> being rejected or something. >> >> >>>> If not, use tcpdump or something similar to watch mail traffic to >> >> >>>> see >> >> >>>> if OSSEC even attempts to send the message. >> >> >>>> >> >> >>>> > -- >> >> >>>> > >> >> >>>> > --- >> >> >>>> > You received this message because you are subscribed to the >> >> >>>> > Google >> >> >>>> > Groups >> >> >>>> > "ossec-list" group. >> >> >>>> > To unsubscribe from this group and stop receiving emails from >> >> >>>> > it, >> >> >>>> > send >> >> >>>> > an >> >> >>>> > email to [email protected]. >> >> >>>> > For more options, visit >> >> >>>> > https://groups.google.com/groups/opt_out. >> >> >>>> > >> >> >>>> > >> >> >>>> >> >> >>>> -- >> >> >>>> >> >> >>>> --- >> >> >>>> You received this message because you are subscribed to the Google >> >> >>>> Groups "ossec-list" group. >> >> >>>> To unsubscribe from this group and stop receiving emails from it, >> >> >>>> send >> >> >>>> an email to [email protected]. >> >> >>>> For more options, visit https://groups.google.com/groups/opt_out. >> >> >>>> >> >> >>>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> -- >> >> >>> Regards, >> >> >>> Pratap Singh >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> >> Regards, >> >> >> Pratap Singh >> >> > >> >> > >> >> > >> >> > >> >> > -- >> >> > Regards, >> >> > Pratap Singh >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an >> >> email to [email protected]. >> >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> >> > >> > >> > >> > -- >> > Regards, >> > Pratap Singh >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > > > -- > Regards, > Pratap Singh > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
