Still, very helpful. I was under the incorrect impression that you needed a single decoder and that only a single decoder would grab data for each log entry. What you just showed was a very cool distinction.
On Wed, Oct 2, 2013 at 9:31 AM, dan (ddp) <[email protected]> wrote: > On Wed, Oct 2, 2013 at 9:29 AM, Jared Greene <[email protected]> > wrote: > > hmmm. kiss.. keep it simple smart. > > > > Thanks Dan. > > > > The logs were similar enough that the decoding engine couldn't quite > see the differences between them well enough (or I didn't have the > patience to figure it out). So this seemed like the best option. > > > > > On Wed, Oct 2, 2013 at 9:23 AM, dan (ddp) <[email protected]> wrote: > >> > >> <decoder name="D2C_WAP"> > >> <prematch>^\d\d:\d\d:\d\d,\d\d\d ERROR </prematch> > >> </decoder> > >> > >> <decoder name="D2C_WAP_Fetch_Failed"> > >> <parent>D2C_WAP</parent> > >> <regex offset="after_parent">[DataSourceGetConJob:\d+] [User: > >> (\.+)] [Id: \d+][DataSource]\S+ Connection </regex> > >> <order>user</order> > >> </decoder> > >> > >> <decoder name="D2C_WAP_Fetch_Failed"> > >> <parent>D2C_WAP</parent> > >> <regex>of (\S+) is failed$</regex> > >> <order>extra_data</order> > >> </decoder> > >> > >> On Wed, Oct 2, 2013 at 9:03 AM, Jared <[email protected]> wrote: > >> > I am missing something subtle on the order of operations, but just > dont > >> > see > >> > it. > >> > > >> > What is the correct way to do the decoder here to get each of the logs > >> > (in > >> > green) to provide the >user,extra_data<? > >> > Does the base decoder "D2C_WAP" need to be more granular / extended > >> > futher > >> > into the log? > >> > > >> > Here are my decoders: > >> > > >> > <decoder name="D2C_WAP"> > >> > <prematch>^\d\d:\d\d:\d\d,\d\d\d ERROR </prematch> > >> > </decoder> > >> > > >> > <!-- 12:20:35,932 ERROR [DataSourceGetConJob:999] [User: > >> > [email protected]] [Id: 9999999][DataSource]Get Connection for > Schema > >> > Fetch of MSDYNCRM is failed --> > >> > <decoder name="D2C_WAP_Fetch_Failed"> > >> > <parent>D2C_WAP</parent> > >> > <regex offset="after_parent">[DataSourceGetConJob:\d+] [User: > (\.+)] > >> > [Id: > >> > \d+][DataSource]Get Connection for Schema Fetch of (\.+) is > >> > failed</regex> > >> > <order>user,extra_data</order> > >> > </decoder> > >> > <!-- 11:44:06,185 ERROR [DataSourceGetConJob:999] [User: > >> > [email protected]] [Id: 9999999][DataSource]Test Connection of > >> > MSDYNCRM > >> > is failed --> > >> > > >> > <decoder name="D2C_WAP_Test_Datasource_failed"> > >> > <parent>D2C_WAP</parent> > >> > <regex offset="after_parent">[DataSourceGetConJob:\d+] [User: > (\.+)] > >> > [Id: > >> > \d+][DataSource]Test Connection of (\.+) is failed</regex> > >> > <order>user,extra_data</order> > >> > > >> > Result of ossec-logtest: > >> > > >> > 12:20:35,932 ERROR [DataSourceGetConJob:999] [User: > >> > [email protected]] > >> > [Id: 9999999][DataSource]Get Connection for Schema Fetch of MSDYNCRM > is > >> > failed > >> > > >> > **Phase 1: Completed pre-decoding. > >> > full event: '12:20:35,932 ERROR [DataSourceGetConJob:999] > [User: > >> > [email protected]] [Id: 9999999][DataSource]Get Connection for > Schema > >> > Fetch of MSDYNCRM is failed' > >> > hostname: 'ip-300-330-0-110' > >> > program_name: '(null)' > >> > log: '12:20:35,932 ERROR [DataSourceGetConJob:999] [User: > >> > [email protected]] [Id: 9999999][DataSource]Get Connection for > Schema > >> > Fetch of MSDYNCRM is failed' > >> > **Phase 2: Completed decoding. > >> > decoder: 'D2C_WAP' > >> > dstuser: '[email protected]' > >> > extra_data: 'MSDYNCRM' > >> > **Phase 3: Completed filtering (rules). > >> > Rule id: '1002' > >> > Level: '2' > >> > Description: 'Unknown problem somewhere in the system.' > >> > **Alert to be generated. > >> > > >> > 11:44:06,185 ERROR [DataSourceGetConJob:999] [User: > >> > [email protected]] > >> > [Id: 9999999][DataSource]Test Connection of MSDYNCRM is failed > >> > > >> > **Phase 1: Completed pre-decoding. > >> > full event: '11:44:06,185 ERROR [DataSourceGetConJob:999] > [User: > >> > [email protected]] [Id: 9999999][DataSource]Test Connection of > >> > MSDYNCRM > >> > is failed' > >> > hostname: 'ip-300-330-0-110' > >> > program_name: '(null)' > >> > log: '11:44:06,185 ERROR [DataSourceGetConJob:999] [User: > >> > [email protected]] [Id: 9999999][DataSource]Test Connection of > >> > MSDYNCRM > >> > is failed' > >> > **Phase 2: Completed decoding. > >> > decoder: 'D2C_WAP' > >> > **Phase 3: Completed filtering (rules). > >> > Rule id: '1002' > >> > Level: '2' > >> > Description: 'Unknown problem somewhere in the system.' > >> > **Alert to be generated. > >> > Thanks - Jared > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected]. > >> For more options, visit https://groups.google.com/groups/opt_out. > > > > > > > > > > -- > > Thank you, > > > > Jared R. Greene > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- Thank you, Jared R. Greene -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
