On Fri, Jul 5, 2013 at 1:56 PM, David Blanton <[email protected]> wrote: > Okay thanks. Is there documentation on how to run the logtest? >
Besides the hundreds of examples I've provided on the list? Yes: http://ossec.net/doc/programs/ossec-logtest.html > On Friday, July 5, 2013 1:52:33 PM UTC-4, dan (ddpbsd) wrote: >> >> On Fri, Jul 5, 2013 at 1:41 PM, David Blanton >> <[email protected]> wrote: >> > So to verify, ^ translates to 'this is the first character/word in the >> > line'. >> > >> > I have not run it through logtest - before I do I wanted to attempt my >> > best >> > efforts at getting the syntax correct. I believe you ran the decoder >> > through >> >> I _rarely_ get any (reasonably complicated) decoders/rules working >> without tweaks after running log samples through logtest. >> >> > the logtest and it came up as working. I'm just having a hard time >> > piecing >> > together the rules to match the decoder because I am not getting alerts >> > when >> > the rules should be getting triggered. >> > >> > So what tags would match the extra_data in the decoder? Should I be >> > looking >> > at any other tags in my rules? >> > >> >> I think I misunderstood your question. Whatever is in <extra_data> can >> also be found with <match>. So you can either do >> <extra_data>301</extra_data> or <match>301</match>. Using the >> extra_data tag is a bit stricter. >> >> >> > >> > On Friday, July 5, 2013 1:36:04 PM UTC-4, dan (ddpbsd) wrote: >> >> >> >> On Fri, Jul 5, 2013 at 1:30 PM, David Blanton >> >> <[email protected]> wrote: >> >> > Here is what I currently have for rules, and for reference I will >> >> > link >> >> > my decoder. >> >> > >> >> > <group name="bnc3prod"> >> >> > <rule id="100002" level="0"> >> >> > <decoded_as>bnc3prod</decoded_as> >> >> > <description>BATCH FAILED: error generated </description> >> >> > </rule> >> >> > >> >> > <rule id="100003" level="10"> >> >> > <if_sid>100002</if_sid> >> >> > <status>^FAILED</status> >> >> > <match>^301</match> >> >> > <description>FAILED: 301 PKZIP file or court disk</description> >> >> > </rule> >> >> > >> >> > <rule id=”100004” level “10”> >> >> > <if_sid>100002</if_sid> >> >> > <status>^FAILED</status> >> >> > <match>^302</tmatch> >> >> > <description>FAILED: 302 Inconsistent case#</description> >> >> > </rule> >> >> > >> >> > <rule id=”100005” level “10”> >> >> > <if_sid>100002</if_sid> >> >> > <status>^FAILED</status> >> >> > <match>^303</match> >> >> > <description>Number of fields in record incorrect</description> >> >> > </rule> >> >> > >> >> > </group> >> >> > >> >> > This is just an example, I have more rules, it's just I believe 3 >> >> > gives you guys the idea. >> >> > >> >> > Here is the decoder: >> >> > >> >> > <decoder name="bnc3prod"> >> >> > <prematch>^\d+-\d+: \S+ \d+-\d+ \d+-\d+ \S+ </prematch> >> >> > <regex offset="after_prematch">^(\S+): \S(\d+)$</regex> >> >> > <order>status, extra_data</order> >> >> > </decoder> >> >> > >> >> > >> >> > Now my question is, in the decoder file, I am seeing two things for >> >> > the <program_name> tag. One with >> >> > <program_name>^bnc3prod</program_name> and >> >> > <program_name>bnc3prod</program_name>. Which one is correct? When >> >> > would the "^" be used. Same goes for the <match> and <status> tag. >> >> > Some use the ^ and others do not. >> >> > >> >> >> >> I prefer using the "^" in program_name fields. If the first character >> >> you have in <program_name> will always be the first character of the >> >> program name, use the "^." >> >> >> >> > Also, does the <extra_data> in the decoder line up with <match>? >> >> > >> >> >> >> It's hard to tell. I don't think you want the "^" in the <match> field >> >> though. The number won't be the first character in the log message. >> >> Have you run it through ossec-logtest? Does it work? >> >> >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
