I got rid of the error. For some reason it was not reading my local_decoder.xml I had to update the main decoder.xml file
Error is gone but I am still not sure how to properly test this. On Friday, October 25, 2013 3:01:43 PM UTC-4, Gabriel Holder wrote: > > Ok, so here is an extract of the log file I'm monitoring: > [21-Oct-2013 05:00:01] PHP Fatal error: require_once(): Failed opening > required 'global.php' > (include_path='.:/usr/share/pear:/usr/local/pear/share/pear:/php/includes:/home/along/PHPUnit-3.6.10') > > in /var/www/html/jabba/trunk/admin/cron/populate_profile_video_denorm.php > on line 2 > > Here is the entire local_decoder file: > <!-- Custom decoder for example --> > > <decoder name="php-app"> > <prematch>^\p\d\d-\w\w\w-\d\d\d\d \d\d:\d\d:\d\d</prematch> > </decoder> > > <decoder name="php-app-alert"> > <parent>php-app</parent> > <regex offset="after_parent">^ (\d+.\d+.\d+.\d+) PHP app</regex> > <order>srcip</order> > </decoder> > > I adjusted the prematch field to match: > [21-Oct-2013 05:00:01] > I think it was done right. > > > On Friday, October 25, 2013 2:54:01 PM UTC-4, dan (ddpbsd) wrote: >> >> On Fri, Oct 25, 2013 at 2:25 PM, Gabriel Holder <[email protected]> >> wrote: >> > >> > >> > On Friday, October 25, 2013 2:18:27 PM UTC-4, dan (ddpbsd) wrote: >> >> >> >> On Fri, Oct 25, 2013 at 2:11 PM, Gabriel Holder <[email protected]> >> >> wrote: >> >> > Here is my decoder file: >> >> >> >> This is local_decoder.xml correct? >> >> Yes it is. >> >> >> >> > <!-- Custom decoder for example --> >> >> > >> >> > <decoder name="php-app"> >> >> > <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d</prematch> >> >> > </decoder> >> >> > >> >> > <decoder name="php-app-alert"> >> >> > <parent>php-app</parent> >> >> > <regex offset="after_parent">^ (\d+.\d+.\d+.\d+) PHP >> app</regex> >> >> > <order>srcip</order> >> >> > </decoder> >> >> > >> >> > Rules: >> >> >> >> I'm guessing you put these in local_rules.xml. Do you have nested >> <group >> >> tags? >> >> No I do not. Each group has its own entry. >> > >> > >> >> >> >> > <group name="syslog,php-app,"> >> >> > <rule id="110000" level="0"> >> >> > <decoded_as>php-app</decoded_as> >> >> > <description>PHP custom app group.</description> >> >> > </rule> >> >> > >> >> > <rule id="110001" level="10"> >> >> > <if_sid>110000</if_sid> >> >> > <srcip>127.0.0.1</srcip> >> >> > <match>Fatal</match> >> >> > <description>php file edited?</description> >> >> > </rule> >> >> > </group> >> >> > >> >> > Logtest gives an error: >> >> > 2013/10/25 14:10:58 ossec-testrule: INFO: Reading local decoder >> file. >> >> > 2013/10/25 14:10:58 ossec-analysisd: Invalid decoder name: >> 'php-app'. >> >> > 2013/10/25 14:10:58 ossec-testrule(1220): ERROR: Error loading the >> >> > rules: >> >> > 'rules_config.xml'. >> >> >> >> These did not give me any errors. You didn't include log samples so I >> >> can't test any further. >> > >> > >> > Which log samples would you like? >> >> The ones you want help with. >> >> If you could attach the entire local_decoder.xml file, that'd be >> great. I'll try with that directly to see if I can reproduce your >> error. >> >> >> >> >> >> >> > >> >> > All I want to do is monitor a specific file for a specific pattern >> (PHP >> >> > Fatal Error) and alert when it happens. >> >> > >> >> > >> >> > On Friday, October 25, 2013 1:51:26 PM UTC-4, dan (ddpbsd) wrote: >> >> >> >> >> >> On Fri, Oct 25, 2013 at 1:42 PM, Gabriel Holder <[email protected]> >> >> >> >> wrote: >> >> >> > I am brand new to Ossec and I am trying to monitor an agent's >> file >> >> >> > /var/path/something/php.log. >> >> >> > >> >> >> > I know I have to setup a decoder and rules for this except for >> the >> >> >> > life >> >> >> > of >> >> >> > me, I cannot figure any of this out. >> >> >> > Ossec's documentation on accomplishing this is meh at best. >> >> >> > >> >> >> >> >> >> I'll try to integrate this suggestion in the next update. >> >> >> >> >> >> > How can I setup the decoder/rules so that if the file gets edited >> >> >> > with >> >> >> > "PHP >> >> >> > Fatal Error" I am notified? >> >> >> >> >> >> Start by using ossec-logtest to see how the log message is being >> >> >> decoded already. You can add a decoder to >> >> >> /var/ossec/etc/local_decoder.xml on the server if necessary. >> >> >> Then write a rule in /var/ossec/rules/local_rules.xml (on the >> server >> >> >> of course), possibly referencing the decoder the log message >> decodes >> >> >> as. >> >> >> >> >> >> I'm not sure how much more help I can be without log samples. >> >> >> >> >> >> > I also cannot figure out WHERE ppl are getting their log lines. >> >> >> > >> >> >> >> >> >> Log files generally. >> >> >> >> >> >> > Any help would be appreciated. >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the >> Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
