On Fri, Mar 21, 2014 at 2:35 PM, R Brandt <[email protected]> wrote: > I'm having a problem with my custom decoder. I have defined only 2 decoders > under 1 parent. However, only the first decoder works. > If I switch the order of the decoders, the decoder that didn't work before > now works. > Any help? > > Thanks. > > Basic info. (the server that OSSEC runs on is not connected to the internet > so I can't do a simple > cut and paste) > Running OSSEC 2.7 on RH5.3 > Monitoring a Custom Java application audit log. > > Audit format and examples (log entry is all on one line, I just formatted it > for readability here) > > INFO 2014/03/15 08:16:05.088 GMT <http-bio-8443-exec-2> > ism.acc.ozone.common.utils.ProfileUtils::getSecurityProfile > <securityAudit> > <SecurityAuditId>USER_LOGON</SecurityAuditId> > <Timestamp>2014/03/15 08:16:05.088 UTC</Timestamp> > <DisplayName>USER_LOGON</DisplayName> > <UserId>cbrown</UserId> > <SystemId>tstwa1 192.45.205.167</SystemId> > <ProcessId>12345</ProcessId> > <ResourcesParameters></ResourcesParameters> > <Status>SUCCESS</Status> > <Criticality>LOW</Criticality> > <Comments>(varies)</Comments> > </securityAudit> > > > INFO 2014/03/15 09:16:05.088 GMT <Timer-1> > ism.acc.ozone.action.reports.UserAccessListener::auditLogout > <securityAudit> > <SecurityAuditId>USER_LOGOUT</SecurityAuditId> > <Timestamp>2014/03/15 09:16:05.088 UTC</Timestamp> > <DisplayName>USER_LOGOUT</DisplayName> > <UserId>cbrown</UserId> > <SystemId>tstwa1 192.45.205.167</SystemId> > <ProcessId>12345</ProcessId> > <ResourcesParameters></ResourcesParameters> > <Status>SUCCESS</Status> > <Criticality>LOW</Criticality> > <Comments>(varies)</Comments> > </securityAudit> > > local_decoder.xml > > <decoder name="ISM"> > <prematch>^INFO \s+\d+/\d\d/\d\d\s+\d\d:\d\d:\d\d.\d\d\d\sGMT</prematch> > > <decoder name="ism_logon"> > <parent>ISM</parent> > <regex > offset="after_parent">(USER_LOGON)\.+UserId\p(\w+)\p\.+SystemId\p(\S+)\s(\d+.\d+.\d+.\d)\p</regex> > <regex>\.+Status\p(\S+)\p\.+Criticality\p(\w+)\p\.+mments\p(Issuer DN: > C=\w\w.O=\w+,OU=\w+,CN=\w+\s\w+\s\S+)\p</regex> > <order>action, user, srcuser, srcip, status, extra_data, > extra_data</order> > </decoder> > > <decoder name="ism_logout"> > <parent>ISM</parent> > <regex offset="after_parent">(USER_LOGOUT)</regex> > <order>action</order> > </decoder> >
I can't do any actual testing of this at the moment, but couldn't these be combined? Instead of (USER_*) use (\S+) or something? You'll get extra data with the logout option, but that can be ignored. > > Test1a > > echo "INFO above blah, blah USER_LOGON ... </securityAudit>" | > ./ossec-logtest -v 2>&1 > > Result > > **Phase 1: Completed pre-decoding. > > full event:'INFO above blah, blah USER_LOGON ... </securityAudit>' > hostname: 'tstdl2' (OSSEC server host) > program_name: '(null)' > log: 'INFO above blah, blah again </securityAudit>' > > **Phase 2: Completed decoding. > decoder: 'ISM' > action: 'USER_LOGON' > dstuser: 'cbrown' > srcuser: 'tstwa1' > srcip: '192.45.205.167' > status: 'SUCCESS' > extra_data: 'LOW' > extra_data: '(stuff in Comments field)' > > **Rule debugging: ...... > > > Test1b > echo "INFO above blah, blah USER_LOGOUT ... </securityAudit>" | > ./ossec-logtest -v 2>&1 > > Result > > **Phase 1: Completed pre-decoding. > > full event:'INFO above blah, blah USER_LOGOUT ... </securityAudit>' > hostname: 'tstdl2' (OSSEC server host where ossec-logtest running) > program_name: '(null)' > log: 'INFO above blah, blah again </securityAudit>' > > **Phase 2: Completed decoding. > decoder: 'ISM' > > **Rule debugging: ...... > > Test2a (swap the positions of the 2 decoder definitions, now LOGOUT comes > first) > > echo "INFO above blah, blah USER_LOGON ... </securityAudit>" | > ./ossec-logtest -v 2>&1 > > Result > > **Phase 1: Completed pre-decoding. > > full event:'INFO above blah, blah USER_LOGON ... </securityAudit>' > hostname: 'tstdl2' (OSSEC server host) > program_name: '(null)' > log: 'INFO above blah, blah again </securityAudit>' > > **Phase 2: Completed decoding. > decoder: 'ISM' > > > **Rule debugging: ...... > > Test2b > > echo "INFO above blah, blah USER_LOGOUT ... </securityAudit>" | > ./ossec-logtest -v 2>&1 > > Result > > **Phase 1: Completed pre-decoding. > > full event:'INFO above blah, blah USER_LOGOUT ... </securityAudit>' > hostname: 'tstdl2' (OSSEC server host where ossec-logtest running) > program_name: '(null)' > log: 'INFO above blah, blah again </securityAudit>' > > **Phase 2: Completed decoding. > decoder: 'ISM' > action: 'USER_LOGOUT' > > **Rule debugging: ...... > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
