Hello, I'm testing ossec (2.7.1) on Macos (Mavericks) and I'm trying to customize configuration but most of my decoder/rules don't match. Some because there is space in program_name (like 'Google Chrome Helper') which is not supported (https://groups.google.com/forum/#!topic/ossec-dev/_yD5W-axGG0), some for unknow reason. Outside of ossec-logtest, is there a way to validate regexp? what kind of regexp is it? perl/sed/php/pcre/... ? it seems to complain everytime i'm escaping '()' into '\(\)' (escaping '[]' seems ok).
I'm taking three examples * reference usb device Feb 15 20:21:34 HOST kernel[0]: USBMSC Identifier (non-unique): 574343344530333937339999 0x1058 0x1230 0x1050, 2 <decoder name="kernel"> <program_name>^kernel</program_name> </decoder> <decoder name="usb-insert"> <parent>kernel</parent> <prematch>USBMSC Identifier</prematch> <regex offset="after_prematch">: (\S+) (\S+) (\S+) (\S+), \d+</regex> <!-- Note: not sure why, but get 'decode-xml: Wrong field ' devicerelease' in the order of decoder 'usb-insert'' <order>serialid, vendorid, productid, devicerelease,</order> --> <order>serialid, vendorid, productid</order> </decoder> * some chrome noise Feb 20 11:20:36 HOST Google Chrome Helper[59050]: Process unable to create connection because the sandbox denied the right to lookup com.apple.coreservices.launchservicesd and so this process cannot talk to launchservicesd. <decoder name="chrome"> <!-- Note: not supported (program_name w space): https://groups.google.com/forum/#!topic/ossec-dev/_yD5W-axGG0 <program_name>Google Chrome Helper</program_name> <prematch>^Google Chrome Helper</prematch> --> <prematch>^Google</prematch> </decoder> <decoder name="unable-create-connection"> <parent>chrome</parent> <prematch>Process unable to create connection because the sandbox denied the right to lookup</prematch> </decoder> * some Preview noise Feb 20 10:51:20 HOST Preview[33917]: It does not make sense to draw an image when [NSGraphicsContext currentContext] is nil. This is a programming error. Break on void _NSWarnForDrawingImageWithNoCurrentContext() to debug. This will be logged only once. This may break in the future. <decoder name="preview"> <program_name>Preview</program_name> </decoder> <!-- <decoder name="no-draw-image"> <parent>preview</parent> <prematch>It does not make sense to draw an image when [NSGraphicsContext currentContext] is nil. This is a programming error. Break on void _NSWarnForDrawingImageWithNoCurrentContext() to debug. This will be logged only once. This may break in the future.</prematch> <prematch>It does not make sense to draw an image when</prematch> <regex>It does not make sense to draw an image when</regex> </decoder> --> In all those case, I didn't managed to get ossec-logtest match and don't understand why? any help? On a more general manners, I'm surprise to see that there is not much decoders/rules for macos either included in ossec or shared by the community. There are some installation tutorials but no public real-life deployement as far as I've seen. Or is there any place/repository to find some? Thanks a lot. Cheers, Julien -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
