> * reference usb device > > Feb 15 20:21:34 HOST kernel[0]: USBMSC Identifier (non-unique): > > 574343344530333937339999 0x1058 0x1230 0x1050, 2 > > > > <decoder name="kernel"> > > <program_name>^kernel</program_name> > > </decoder> > > > > <decoder name="usb-insert"> > > <parent>kernel</parent> > > <prematch>USBMSC Identifier</prematch> > > <regex offset="after_prematch">: (\S+) (\S+) (\S+) (\S+), \d+</regex> > > <!-- Note: not sure why, but get 'decode-xml: Wrong field ' > devicerelease' > > in the order of decoder 'usb-insert'' > > <order>serialid, vendorid, productid, devicerelease,</order> > > --> > > <order>serialid, vendorid, productid</order> > > The above aren't valid field names. I'm not sure what good ones would > be for this, so this is very generic: > > <decoder name="usb-stuff"> > <parent>iptables</parent> > <prematch offset="after_parent">^USBMSC Identifier </prematch> > <regex offset="after_prematch">: (\S+) (\S+) (\S+) (\S+), \d+$</regex> > <order>extra_data, extra_data, extra_data, extra_data</order> > </decoder> >
from http://www.ossec.net/doc/manual/rules-decoders/create-custom.html "<order>srcip, protocol</order> - Defines what the entries in the regex line are labeled as. The IP address will be labeled as srcip, and the protocol by proto." So it don't give the expression that we need to use specific word and after how we label those data to say what it is? but when checking, I got # /opt/local/var/ossec/bin/ossec-logtest -v 2>&1 |tee /tmp/logtest 2014/02/20 22:57:19 ossec-testrule: INFO: Reading decoder file /opt/local/var/ossec/etc/decoder.xml. 2014/02/20 22:57:19 ossec-testrule: INFO: Reading decoder file /opt/local/var/ossec/etc/decoder_local_mac.xml. 2014/02/20 22:57:19 decode-xml: Wrong field '' in the order of decoder 'usb-insert' with === <decoder name="usb-insert"> <parent>iptables</parent> <prematch>USBMSC Identifier</prematch> <regex offset="after_prematch">: (\S+) (\S+) (\S+) (\S+), \d+</regex> <order>extra_data, extra_data, extra_data, extra_data,</order> </decoder> === after more tests, ossec-logtests validates like: <order>extra_data, extra_data, extra_data, extra_data,</order> NOK <order>extra_data, extra_data, extra_data, extra_data</order> OK <order>serialid, vendorid, productid, devicerelease,</order> NOK <order>serialid, vendorid, productid, devicerelease</order> NOK <order>serialid, vendorid, productid, extra_data</order> OK but neither above decoder, nor the rules match === <group name="syslog,kernel,"> <rule id="110000" level="0"> <if_sid>5100</if_sid> <decoded_as>usb-insert</decoded_as> <description>USB device app group.</description> </rule> </group> === > > * some chrome noise > > Feb 20 11:20:36 HOST Google Chrome Helper[59050]: Process unable to > create > > connection because the sandbox denied the right to lookup > > com.apple.coreservices.launchservicesd and so this process cannot talk > to > > launchservicesd. > > > > <decoder name="chrome"> > > <!-- Note: not supported (program_name w space): > > https://groups.google.com/forum/#!topic/ossec-dev/_yD5W-axGG0 > > <program_name>Google Chrome Helper</program_name> > > <prematch>^Google Chrome Helper</prematch> > > --> > > <prematch>^Google</prematch> > > </decoder> > > > > <decoder name="unable-create-connection"> > > <parent>chrome</parent> > > <prematch>Process unable to create connection because the sandbox > denied > > the right to lookup</prematch> > > </decoder> > > > > This decoder doesn't do anything the chrome decoder doesn't do. > Anything that matched "unable-create-connections" will identify as the > chrome decoder. Maybe you should create a rule? > I do, but the decoder don't match. It's just a noise I want to ignore or at least put at a low level. I try this === <decoder name="chrome"> <prematch>^Google</prematch> </decoder> === with rules === <group name="syslog,chrome,"> <rule id="120000" level="0"> <match>Process unable to create connection because the sandbox denied the right to lookup</match> <description>Google Chrome log noise</description> <options>no_email_alert</options> </rule> <rule id="120001" level="0"> <match>CGSLookupServerRootPort: Failed to look up the port for "com.apple.windowserver.active"</match> <description>Google Chrome log noise</description> <options>no_email_alert</options> </rule> </group> === => Like this, it seems working and identified even if ossec-logtest don't give any indications of phase 2/decoder match as said in above documentation. > > * some Preview noise > > Feb 20 10:51:20 HOST Preview[33917]: It does not make sense to draw an > image > > when [NSGraphicsContext currentContext] is nil. This is a programming > > error. Break on void _NSWarnForDrawingImageWithNoCurrentContext() to > debug. > > This will be logged only once. This may break in the future. > > > > <decoder name="preview"> > > <program_name>Preview</program_name> > > </decoder> > > > > Maybe this is all you really need? Is there some actionable data in > the log message that you want to pull out? > > > <!-- > > <decoder name="no-draw-image"> > > <parent>preview</parent> > > <prematch>It does not make sense to draw an image when > [NSGraphicsContext > > currentContext] is nil. This is a programming error. Break on void > > _NSWarnForDrawingImageWithNoCurrentContext() to debug. This will be > logged > > only once. This may break in the future.</prematch> > > <prematch>It does not make sense to draw an image when</prematch> > > <regex>It does not make sense to draw an image when</regex> > > Regexes need an <order>. They don't really make much sense without one. > I got it working like for chrome with just a program_name decoder and a rule w match this time. So those 2 are working. Just need to make the first works and the way <order> functions still a bit confusing. Thanks a lot Dan! Cheers, Julien -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
