What Dan says is accurate, and a visual representation might be helpful For this log :
2014 Nov 05 09:10:02 (w2008) 192.1.1.1->\Programs\myapp\ logs\05-11-2014\Error.log Error - The process started successfully This part is from the OSSEC agent : 2014 Nov 05 09:10:02 (w2008) 192.1.1.1-> And this part is from the log on the remote server : \Programs\myapp\ logs\05-11-2014\Error.log Error - The process started successfully And this part is what is likely processed by the Decoder/Rule (the actual message): Error - The process started successfully Thus you should write your rule and decoder to work on that string, does this help sir? To be honest, we saw a similar issue with OpenVPN logs on 2.7.1 and had to write the decoder about 3 different times. It all worked in logtest, but never in production, just as you describe, until we trimmed down what we were looking for within the log. @Dan, does the decoder and logtest work at all differently than a live event? I stink at digging through source code sir........... On Wednesday, November 5, 2014 9:21:27 AM UTC-5, dan (ddpbsd) wrote: > > On Wed, Nov 5, 2014 at 1:47 AM, <[email protected] <javascript:>> > wrote: > > Hello, > > > > I am trying to fix the following problem and no luck yet.. Kindly help > me on > > the following issue. > > > > > > I have the following log stored in windows 2008 in the file called > > "F:\Programs\myapp\logs\05-11-2014\Error.log" > > > > Error - The process cannot access the file 'INST5.txt' because it is > being > > used by another process. > > > > The ossec_agent.conf contains the following localfile settings: > > > > <localfile> > > <location>F:\Programs\myapp\logs\05-11-2014\Error.log</location> > > <log_format>syslog</log_format> > > </localfile> > > > > Then in the server side archives.log I get the log from windows 2008: > > > > 2014 Nov 05 09:02:02 (w2008) > > 192.1.1.1->\Programs\myapp\logs\05-11-2014\Error.log Error - The process > > cannot access the file 'INST5.txt' because it is being used by another > > process. > > > > If this is taken straight out of archives.log there is a header > attached to it. I'd try using the log message as detailed earlier, > starting with "Error." > > > I have written the following decoder in local_decoder.xml: > > > > <decoder name="f-error-log"> > > <type>syslog</type> > > <prematch>(\d+ \w+ \d+ \d+:\d+:\d+) \(w2008\) </prematch> > > <regex>\d+ \w+ \d+ \d+:\d+:\d+ \((w2008)\) (\d+.\d+.\d+.\d+)->(\S+) > > (Error) - (\.+)</regex> > > <order>system_name,srcip,extra_data,status,extra_data</order> > > </decoder> > > > > And also I have the following rules: > > > > <group name="finbridge,"> > > <rule id="100060" level="0"> > > <decoded_as>f-error-log</decoded_as> > > <description>F Error Messages grouped.</description> > > </rule> > > > > <rule id="100061" level="5"> > > <if_sid>100060</if_sid> > > <match>Error</match> > > <description>F Error</description> > > </rule> > > > > When I run ossec-logtest I see the decoders and rules are working > properly: > > > > **Phase 1: Completed pre-decoding. > > full event: '2014 Nov 05 09:02:02 (w2008) > > 192.1.1.1->\Programs\myapp\logs\05-11-2014\Error.log Error - The process > > cannot access the file 'INST5.txt' because it is being used by another > > process.' > > hostname: 'alienvault' > > program_name: '(null)' > > log: '2014 Nov 05 09:02:02 (2008) > > 192.1.1.1->\Programs\myapp\logs\05-11-2014\Error.log Error - The process > > cannot access the file 'INST5.txt' because it is being used by another > > process.' > > > > **Phase 2: Completed decoding. > > decoder: 'f-error-log' > > system_name: 'w2008' > > srcip: '192.1.1.1' > > extra_data: '\Programs\myapp\logs\05-11-2014\Error.log' > > status: 'Error' > > extra_data: 'The process cannot access the file 'INST5.txt' > because > > it is being used by another process.' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '100061' > > Level: '5' > > Description: 'F Error' > > **Alert to be generated. > > > > Then I have restarted ossec service on ossec server and added the > following > > line on "F:\Programs\myapp\logs\05-11-2014\Error.log" to see if I get > alerts > > in alerts.log > > > > Error - The process started successfully > > > > I can see the above log in archives.log: > > > > 2014 Nov 05 09:10:02 (w2008) > > 192.1.1.1->\Programs\myapp\logs\05-11-2014\Error.log Error - The process > > started successfully > > > > But when I check alerts.log there are no alerts :( > > > > I spent couple of hours and double checked the config and etc.. still I > > cannot see an alert in alerts.log. > > > > Thank you in advance. > > > > Sathish. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
