Hello,
I am trying to fix the following problem and no luck yet.. Kindly help me
on the following issue.
I have the following log stored in windows 2008 in the file called
"F:\Programs\myapp\logs\05-11-2014\Error.log"
Error - The process cannot access the file 'INST5.txt' because it is being
used by another process.
The ossec_agent.conf contains the following localfile settings:
<localfile>
<location>F:\Programs\myapp\logs\05-11-2014\Error.log</location>
<log_format>syslog</log_format>
</localfile>
Then in the server side archives.log I get the log from windows 2008:
2014 Nov 05 09:02:02 (w2008)
192.1.1.1->\Programs\myapp\logs\05-11-2014\Error.log Error - The process
cannot access the file 'INST5.txt' because it is being used by another
process.
I have written the following decoder in local_decoder.xml:
<decoder name="f-error-log">
<type>syslog</type>
<prematch>(\d+ \w+ \d+ \d+:\d+:\d+) \(w2008\) </prematch>
<regex>\d+ \w+ \d+ \d+:\d+:\d+ \((w2008)\) (\d+.\d+.\d+.\d+)->(\S+)
(Error) - (\.+)</regex>
<order>system_name,srcip,extra_data,status,extra_data</order>
</decoder>
And also I have the following rules:
<group name="finbridge,">
<rule id="100060" level="0">
<decoded_as>f-error-log</decoded_as>
<description>F Error Messages grouped.</description>
</rule>
<rule id="100061" level="5">
<if_sid>100060</if_sid>
<match>Error</match>
<description>F Error</description>
</rule>
When I run ossec-logtest I see the decoders and rules are working properly:
**Phase 1: Completed pre-decoding.
full event: '2014 Nov 05 09:02:02 (w2008)
192.1.1.1->\Programs\myapp\logs\05-11-2014\Error.log Error - The process
cannot access the file 'INST5.txt' because it is being used by another
process.'
hostname: 'alienvault'
program_name: '(null)'
log: '2014 Nov 05 09:02:02 (2008)
192.1.1.1->\Programs\myapp\logs\05-11-2014\Error.log Error - The process
cannot access the file 'INST5.txt' because it is being used by another
process.'
**Phase 2: Completed decoding.
decoder: 'f-error-log'
system_name: 'w2008'
srcip: '192.1.1.1'
extra_data: '\Programs\myapp\logs\05-11-2014\Error.log'
status: 'Error'
extra_data: 'The process cannot access the file 'INST5.txt' because
it is being used by another process.'
**Phase 3: Completed filtering (rules).
Rule id: '100061'
Level: '5'
Description: 'F Error'
**Alert to be generated.
Then I have restarted ossec service on ossec server and added the following
line on "F:\Programs\myapp\logs\05-11-2014\Error.log" to see if I get
alerts in alerts.log
Error - The process started successfully
I can see the above log in archives.log:
2014 Nov 05 09:10:02 (w2008)
192.1.1.1->\Programs\myapp\logs\05-11-2014\Error.log Error - The process
started successfully
But when I check alerts.log there are no alerts :(
I spent couple of hours and double checked the config and etc.. still I
cannot see an alert in alerts.log.
Thank you in advance.
Sathish.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
