I've opened a github repository for this:
https://github.com/SunboX/ossec-owncloud
greetings,
Sunny
Am Donnerstag, 23. Januar 2014 21:42:12 UTC+1 schrieb SunboX:
>
> Ok, got it working with this decoder:
>
> <!-- ownCloud decoder.
> - Example:
> - {"app":"OCP\\Share","message":"Sharing backend
> OCA\\Contacts\\Share\\Addressbook not registered,
> OCA\\Contacts\\Share\\Addressbook is already registered for
> addressbook","level":2,"time":"2014-01-23T$
> -->
> <decoder name="owncloud">
> <prematch>^{"app":</prematch>
> <regex>app":"(\S+)","message":"(\.+)","level":(\d+),"time":</regex>
> <order>action, extra_data, status</order>
> </decoder>
>
> Am Donnerstag, 23. Januar 2014 20:30:45 UTC+1 schrieb dan (ddpbsd):
>>
>> On Thu, Jan 23, 2014 at 2:28 PM, SunboX <[email protected]> wrote:
>> > Oh, ok. It's a subset of regular regular expressions. ;) Thanks!
>> >
>>
>> Yep, very frustrating. That's on the long todo list as well.
>>
>> > Am Donnerstag, 23. Januar 2014 20:21:29 UTC+1 schrieb dan (ddpbsd):
>> >>
>> >> On Thu, Jan 23, 2014 at 2:20 PM, dan (ddp) <[email protected]> wrote:
>> >> > On Thu, Jan 23, 2014 at 2:19 PM, SunboX <[email protected]>
>> wrote:
>> >> >> Am Donnerstag, 23. Januar 2014 20:09:06 UTC+1 schrieb dan (ddpbsd):
>> >> >>>
>> >> >>> On Thu, Jan 23, 2014 at 2:05 PM, SunboX <[email protected]>
>> wrote:
>> >> >>> > Want to decode this log message:
>> >> >>> >
>> >> >>> > {"app":"OCP\\Share","message":"Sharing backend
>> >> >>> > OCA\\Contacts\\Share\\Addressbook not registered,
>> >> >>> > OCA\\Contacts\\Share\\Addressbook is already registered for
>> >> >>> > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}
>> >> >>> >
>> >> >>> > My ossec.conf file:
>> >> >>> >
>> >> >>> > <ossec_config>
>> >> >>> > <localfile>
>> >> >>> > <log_format>syslog</log_format>
>> >> >>> >
>> <location>/var/www/path-to-owncloud/data/owncloud.log</location>
>> >> >>> > </localfile>
>> >> >>> > </ossec_config>
>> >> >>> >
>> >> >>> > And the local_decoder.xml file:
>> >> >>> >
>> >> >>> > <decoder name="owncloud">
>> >> >>> > <program_name></program_name>
>> >> >>> > <prematch>^{"app":[^}]*}</prematch>
>> >> >>>
>> >> >>> I don't see everything after the ":" in your log sample.
>> >> >>
>> >> >>
>> >> >> Hm, what do you mean with "everything"? ;)
>> >> >>
>> >> >> The RegEx matches:
>> >> >>
>> >> >> exactly: {"app":
>> >> >> than anything what is not a "}": [^}]*
>> >> >> and than exactly a "}": }
>> >> >>
>> >> >> so it should match:
>> >> >>
>> >> >>
>> >> >> {"app":"OCP\\Share","message":"Sharing backend
>> >> >> OCA\\Contacts\\Share\\Addressbook not registered,
>> >> >> OCA\\Contacts\\Share\\Addressbook is already registered for
>> >> >> addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}
>> >> >>
>> >> >
>> >> > Welcome to OSSEC:
>> >> > http://ossec.net/doc/syntax/regex.html#or-regex-regex-syntax
>> >> >
>> >>
>> >> I haven't verified it, bu t it looks like prematch isn't regex enabled
>> >> either:
>> >>
>> http://ossec.net/doc/syntax/head_decoders.html#element-decoder.prematch
>> >>
>> >> >>>
>> >> >>> > </decoder>
>> >> >>> >
>> >> >>> > Response from ossec-logtest:
>> >> >>> >
>> >> >>> > **Phase 1: Completed pre-decoding.
>> >> >>> > full event: '{"app":"OCP\\Share","message":"Sharing
>> backend
>> >> >>> > OCA\\Contacts\\Share\\Addressbook not registered,
>> >> >>> > OCA\\Contacts\\Share\\Addressbook is already registered for
>> >> >>> > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}'
>> >> >>> > hostname: 'cloud'
>> >> >>> > program_name: '(null)'
>> >> >>> > log: '{"app":"OCP\\Share","message":"Sharing backend
>> >> >>> > OCA\\Contacts\\Share\\Addressbook not registered,
>> >> >>> > OCA\\Contacts\\Share\\Addressbook is already registered for
>> >> >>> > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}'
>> >> >>> >
>> >> >>> > **Phase 2: Completed decoding.
>> >> >>> > No decoder matched.
>> >> >>> >
>> >> >>> > Could you please point me in the right direction? How do I get
>> the
>> >> >>> > decoder
>> >> >>> > matching my log message? I tried many combinations of
>> program_name
>> >> >>> > and
>> >> >>> > prematch nothing did work.
>> >> >>> >
>> >> >>> > greetings
>> >> >>> > Sunny
>> >> >>> >
>> >> >>> > --
>> >> >>> >
>> >> >>> > ---
>> >> >>> > You received this message because you are subscribed to the
>> Google
>> >> >>> > Groups
>> >> >>> > "ossec-list" group.
>> >> >>> > To unsubscribe from this group and stop receiving emails from
>> it,
>> >> >>> > send
>> >> >>> > an
>> >> >>> > email to [email protected].
>> >> >>> > For more options, visit https://groups.google.com/groups/opt_out.
>>
>> >> >>
>> >> >> --
>> >> >>
>> >> >> ---
>> >> >> You received this message because you are subscribed to the Google
>> >> >> Groups
>> >> >> "ossec-list" group.
>> >> >> To unsubscribe from this group and stop receiving emails from it,
>> send
>> >> >> an
>> >> >> email to [email protected].
>> >> >> For more options, visit https://groups.google.com/groups/opt_out.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an
>> > email to [email protected].
>> > For more options, visit https://groups.google.com/groups/opt_out.
>>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
