Okay thanks. Is there documentation on how to run the logtest? On Friday, July 5, 2013 1:52:33 PM UTC-4, dan (ddpbsd) wrote: > > On Fri, Jul 5, 2013 at 1:41 PM, David Blanton > <[email protected] <javascript:>> wrote: > > So to verify, ^ translates to 'this is the first character/word in the > > line'. > > > > I have not run it through logtest - before I do I wanted to attempt my > best > > efforts at getting the syntax correct. I believe you ran the decoder > through > > I _rarely_ get any (reasonably complicated) decoders/rules working > without tweaks after running log samples through logtest. > > > the logtest and it came up as working. I'm just having a hard time > piecing > > together the rules to match the decoder because I am not getting alerts > when > > the rules should be getting triggered. > > > > So what tags would match the extra_data in the decoder? Should I be > looking > > at any other tags in my rules? > > > > I think I misunderstood your question. Whatever is in <extra_data> can > also be found with <match>. So you can either do > <extra_data>301</extra_data> or <match>301</match>. Using the > extra_data tag is a bit stricter. > > > > > > On Friday, July 5, 2013 1:36:04 PM UTC-4, dan (ddpbsd) wrote: > >> > >> On Fri, Jul 5, 2013 at 1:30 PM, David Blanton > >> <[email protected]> wrote: > >> > Here is what I currently have for rules, and for reference I will > link > >> > my decoder. > >> > > >> > <group name="bnc3prod"> > >> > <rule id="100002" level="0"> > >> > <decoded_as>bnc3prod</decoded_as> > >> > <description>BATCH FAILED: error generated </description> > >> > </rule> > >> > > >> > <rule id="100003" level="10"> > >> > <if_sid>100002</if_sid> > >> > <status>^FAILED</status> > >> > <match>^301</match> > >> > <description>FAILED: 301 PKZIP file or court disk</description> > >> > </rule> > >> > > >> > <rule id=”100004” level “10”> > >> > <if_sid>100002</if_sid> > >> > <status>^FAILED</status> > >> > <match>^302</tmatch> > >> > <description>FAILED: 302 Inconsistent case#</description> > >> > </rule> > >> > > >> > <rule id=”100005” level “10”> > >> > <if_sid>100002</if_sid> > >> > <status>^FAILED</status> > >> > <match>^303</match> > >> > <description>Number of fields in record incorrect</description> > >> > </rule> > >> > > >> > </group> > >> > > >> > This is just an example, I have more rules, it's just I believe 3 > >> > gives you guys the idea. > >> > > >> > Here is the decoder: > >> > > >> > <decoder name="bnc3prod"> > >> > <prematch>^\d+-\d+: \S+ \d+-\d+ \d+-\d+ \S+ </prematch> > >> > <regex offset="after_prematch">^(\S+): \S(\d+)$</regex> > >> > <order>status, extra_data</order> > >> > </decoder> > >> > > >> > > >> > Now my question is, in the decoder file, I am seeing two things for > >> > the <program_name> tag. One with > >> > <program_name>^bnc3prod</program_name> and > >> > <program_name>bnc3prod</program_name>. Which one is correct? When > >> > would the "^" be used. Same goes for the <match> and <status> tag. > >> > Some use the ^ and others do not. > >> > > >> > >> I prefer using the "^" in program_name fields. If the first character > >> you have in <program_name> will always be the first character of the > >> program name, use the "^." > >> > >> > Also, does the <extra_data> in the decoder line up with <match>? > >> > > >> > >> It's hard to tell. I don't think you want the "^" in the <match> field > >> though. The number won't be the first character in the log message. > >> Have you run it through ossec-logtest? Does it work? > >> > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
