I recently ran into this same issue.. The problem lies in how the decoders and rules work, there's only a single path through the decoders with no backtracking, so if you have something like this:
<decoder name="sshd-accept-broken"> <parent>sshd</parent> <prematch>^Accepted </prematch> <regex>never gonna match</regex> </decoder> <decoder name="sshd-accept-notbroken"> <parent>sshd</parent> <prematch>^Accepted </prematch> <regex offset="after_prematch">publickey for (\S+)</regex> <order>dstuser</order> </decoder> The 'sshd-accept-notbroken' will *never* be used because the prematch for the first broken decoder trumps it. You may need to tweak the decoders so their prematches aren't so "matchy". I was going to look into patching the decoder to allow it to backtrack if a "prematch" succeeds followed by a "regex" that fails. For now, my solution has been modifying the stock decoders.xml. Not pretty, but it works. On Monday, May 27, 2013 6:58:29 PM UTC+2, Dazed wrote: > > Hi > > I'm fairly new to OSSEC and am attempting to process our application audit > log messages through OSSEC. > > The format of log messages is: > > YYYY-MM-DD HH:MM:SS Type=USER_AUDIT IP=xx.xx.xx.xx Username=name@domain > Message="xxxx" > > The reason for the question is that in this format appears to be decoded > as "windows-date-format" from vanilla setup. > > I was hoping to decode this as a "myapp_audit" (which I keep separate in > "local_decoder.xml" rather than embedding within main "decoder.xml") so > that I can feed other child configuration and rules. > > When I test this I can only get one or other of "windows-date-format" or > "myapp_audit" (depending on where I put my rules in "decoder.xml") but not > both. Currently I have my rules working by using "windows-date-format" as > parent of child decode rule and group of rules e.g. > > >>> /var/ossec/etc/local_decoder.xml > > <decoder name="myapp-ip-user"> > <parent>windows-date-format</parent> > <regex offset="after_parent">Type=USER_AUDIT > IP=(\S+)\s+Username=(\S+)\s+Message="(\.*):</regex> > <order>srcip, user, action</order> > </decoder> > > >>> /var/ossec/rules/local_rules.xml > > <group name="windows-date-format"> > > <rule id="100200" level="0"> > <decoded_as>windows-date-format</decoded_as> > <description>Custom MYAPP Alert</description> > </rule> > > <rule id="100201" level="6"> > <if_sid>100200</if_sid> > <action>Invalid password login attempt</action> > <description>MYAPP Invalid password.</description> > </rule> > ... > </group> > > Is there a better way of doing this, so that my grouping might be more > specific to my usage rather than the accidental format match? suspect I've > missed some grouping construct in OSSEC. > > Regards > Dave > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
