Possibly but I have a whole list of events I'll need to decode and create rules for so finding out what I or OSSEC is not doing right is needed anyway.
Thanks On Friday, March 21, 2014 12:53:17 PM UTC-6, dan (ddpbsd) wrote: > > On Fri, Mar 21, 2014 at 2:35 PM, R Brandt > <[email protected]<javascript:>> > wrote: > > I'm having a problem with my custom decoder. I have defined only 2 > decoders > > under 1 parent. However, only the first decoder works. > > If I switch the order of the decoders, the decoder that didn't work > before > > now works. > > Any help? > > > > Thanks. > > > > Basic info. (the server that OSSEC runs on is not connected to the > internet > > so I can't do a simple > > cut and paste) > > Running OSSEC 2.7 on RH5.3 > > Monitoring a Custom Java application audit log. > > > > Audit format and examples (log entry is all on one line, I just > formatted it > > for readability here) > > > > INFO 2014/03/15 08:16:05.088 GMT <http-bio-8443-exec-2> > > ism.acc.ozone.common.utils.ProfileUtils::getSecurityProfile > > <securityAudit> > > <SecurityAuditId>USER_LOGON</SecurityAuditId> > > <Timestamp>2014/03/15 08:16:05.088 UTC</Timestamp> > > <DisplayName>USER_LOGON</DisplayName> > > <UserId>cbrown</UserId> > > <SystemId>tstwa1 192.45.205.167</SystemId> > > <ProcessId>12345</ProcessId> > > <ResourcesParameters></ResourcesParameters> > > <Status>SUCCESS</Status> > > <Criticality>LOW</Criticality> > > <Comments>(varies)</Comments> > > </securityAudit> > > > > > > INFO 2014/03/15 09:16:05.088 GMT <Timer-1> > > ism.acc.ozone.action.reports.UserAccessListener::auditLogout > > <securityAudit> > > <SecurityAuditId>USER_LOGOUT</SecurityAuditId> > > <Timestamp>2014/03/15 09:16:05.088 UTC</Timestamp> > > <DisplayName>USER_LOGOUT</DisplayName> > > <UserId>cbrown</UserId> > > <SystemId>tstwa1 192.45.205.167</SystemId> > > <ProcessId>12345</ProcessId> > > <ResourcesParameters></ResourcesParameters> > > <Status>SUCCESS</Status> > > <Criticality>LOW</Criticality> > > <Comments>(varies)</Comments> > > </securityAudit> > > > > local_decoder.xml > > > > <decoder name="ISM"> > > <prematch>^INFO > \s+\d+/\d\d/\d\d\s+\d\d:\d\d:\d\d.\d\d\d\sGMT</prematch> > > > > <decoder name="ism_logon"> > > <parent>ISM</parent> > > <regex > > > offset="after_parent">(USER_LOGON)\.+UserId\p(\w+)\p\.+SystemId\p(\S+)\s(\d+.\d+.\d+.\d)\p</regex> > > > > <regex>\.+Status\p(\S+)\p\.+Criticality\p(\w+)\p\.+mments\p(Issuer > DN: > > C=\w\w.O=\w+,OU=\w+,CN=\w+\s\w+\s\S+)\p</regex> > > <order>action, user, srcuser, srcip, status, extra_data, > > extra_data</order> > > </decoder> > > > > <decoder name="ism_logout"> > > <parent>ISM</parent> > > <regex offset="after_parent">(USER_LOGOUT)</regex> > > <order>action</order> > > </decoder> > > > > I can't do any actual testing of this at the moment, but couldn't > these be combined? Instead of (USER_*) use (\S+) or something? You'll > get extra data with the logout option, but that can be ignored. > > > > > Test1a > > > > echo "INFO above blah, blah USER_LOGON ... </securityAudit>" | > > ./ossec-logtest -v 2>&1 > > > > Result > > > > **Phase 1: Completed pre-decoding. > > > > full event:'INFO above blah, blah USER_LOGON ... </securityAudit>' > > hostname: 'tstdl2' (OSSEC server host) > > program_name: '(null)' > > log: 'INFO above blah, blah again </securityAudit>' > > > > **Phase 2: Completed decoding. > > decoder: 'ISM' > > action: 'USER_LOGON' > > dstuser: 'cbrown' > > srcuser: 'tstwa1' > > srcip: '192.45.205.167' > > status: 'SUCCESS' > > extra_data: 'LOW' > > extra_data: '(stuff in Comments field)' > > > > **Rule debugging: ...... > > > > > > Test1b > > echo "INFO above blah, blah USER_LOGOUT ... </securityAudit>" | > > ./ossec-logtest -v 2>&1 > > > > Result > > > > **Phase 1: Completed pre-decoding. > > > > full event:'INFO above blah, blah USER_LOGOUT ... </securityAudit>' > > hostname: 'tstdl2' (OSSEC server host where ossec-logtest running) > > program_name: '(null)' > > log: 'INFO above blah, blah again </securityAudit>' > > > > **Phase 2: Completed decoding. > > decoder: 'ISM' > > > > **Rule debugging: ...... > > > > Test2a (swap the positions of the 2 decoder definitions, now LOGOUT > comes > > first) > > > > echo "INFO above blah, blah USER_LOGON ... </securityAudit>" | > > ./ossec-logtest -v 2>&1 > > > > Result > > > > **Phase 1: Completed pre-decoding. > > > > full event:'INFO above blah, blah USER_LOGON ... </securityAudit>' > > hostname: 'tstdl2' (OSSEC server host) > > program_name: '(null)' > > log: 'INFO above blah, blah again </securityAudit>' > > > > **Phase 2: Completed decoding. > > decoder: 'ISM' > > > > > > **Rule debugging: ...... > > > > Test2b > > > > echo "INFO above blah, blah USER_LOGOUT ... </securityAudit>" | > > ./ossec-logtest -v 2>&1 > > > > Result > > > > **Phase 1: Completed pre-decoding. > > > > full event:'INFO above blah, blah USER_LOGOUT ... </securityAudit>' > > hostname: 'tstdl2' (OSSEC server host where ossec-logtest running) > > program_name: '(null)' > > log: 'INFO above blah, blah again </securityAudit>' > > > > **Phase 2: Completed decoding. > > decoder: 'ISM' > > action: 'USER_LOGOUT' > > > > **Rule debugging: ...... > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
