On Fri, Aug 9, 2013 at 12:54 PM, David Blanton
<[email protected]> wrote:
> Okay this is pretty weird. I wanted to start from scratch with the decoder
> so I went back and added each piece to the decoder making sure that it
> worked before proceeding to the next piece.
>
> <prematch>^\w\s+\d+ \d\d:\d\d:\d\d</prematch>
>
> This part works beautifully with: Aug 8 13:41:39
> However, when I get to the next part, the logtest can't analyze the next
> part, the server name. Even when I put in the actual server name. I tried
> \S+-\S+-\S+ as well.
>
> <prematch>^\w\s+\d+ \d\d:\d\d:\d\d|</prematch>
> <prematch>^\w\s+\d+ \d\d:\d\d:\d\d test-bnc3-ctl</prematch>
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'Aug 8 13:41:39 test-bnc3-ctl'
> hostname: 'reston-cacti'
> program_name: '(null)'
> log: 'test-bnc3-ctl'
>
>
> **Phase 2: Completed decoding.
> No decoder matched.
>
> The logtest is saying that the log is only test-bnc3-ctl, so now when I do
> this:
>
> <prematch>^\w\s+\d+ \d\d:\d\d:\d\d|</prematch>
> <prematch>^\w\s+\d+ \d\d:\d\d:\d\d test-bnc3-ctl|</prematch>
> <prematch>^test-bnc3-ctl</prematch>
>
> **Phase 1: Completed pre-decoding.
> full event: 'Aug 8 13:41:39 test-bnc3-ctl'
> hostname: 'reston-cacti'
> program_name: '(null)'
> log: 'test-bnc3-ctl'
>
> **Phase 2: Completed decoding.
> decoder: 'bnc3server'
>
> The logtest ignores the Aug 8 \d\d:\d\d:\d\d and only parses the log
> 'test-bnc3-ctl'. Regardless of me putting the full event in correct syntax
> in the decoder.
>
/tmp/bbb has the log line you posted in the first message.
# cat /tmp/bbb | /var/ossec/bin/ossec-logtest
2013/08/09 13:15:27 ossec-testrule: INFO: Reading local decoder file.
2013/08/09 13:15:28 ossec-testrule: INFO: Started (pid: 3622).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'Aug 8 13:41:39 test-bnc3-ctl logger:
::test-bnc3-web1:21197:-1222399088: Attempt 12: BNCServer not found on
test-bnc3-reston:9305 - couldn't open socket: connection refused'
hostname: 'test-bnc3-ctl'
program_name: 'logger'
log: '::test-bnc3-web1:21197:-1222399088: Attempt 12: BNCServer
not found on test-bnc3-reston:9305 - couldn't open socket: connection
refused'
(SNIP THE REST OF THE OUTPUT FOR NOW, NO DECODER MATCH)
So we have a few bits here to work with. logger is the name of the
application logging this message. We'll use that. Next look at the
"log" line. It has stripped off the meta data. This is important
(mostly for writing rules), and what we'll be focusing on. Since the
timestamp isn't crazy, I'm going to ignore it.
So, let's create a decoder:
<decoder name="bnc3">
<program_name>^logger</program_name>
<prematch>^::\S+:\S+:\S+: </prematch>
</decoder>
This one is pretty simple. Just looks for the program name logger, and
a simple prematch.
With that we get:
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'Aug 8 13:41:39 test-bnc3-ctl logger:
::test-bnc3-web1:21197:-1222399088: Attempt 12: BNCServer not found on
test-bnc3-reston:9305 - couldn't open socket: connection refused'
hostname: 'test-bnc3-ctl'
program_name: 'logger'
log: '::test-bnc3-web1:21197:-1222399088: Attempt 12: BNCServer
not found on test-bnc3-reston:9305 - couldn't open socket: connection
refused'
**Phase 2: Completed decoding.
decoder: 'bnc3'
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
>From there it's just trying to figure out what you want to pull out
into variables, and writing rules.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
