On Thu, Nov 6, 2014 at 7:12 AM, <[email protected]> wrote: > What Dan says is accurate, and a visual representation might be helpful > > For this log : > > 2014 Nov 05 09:10:02 (w2008) 192.1.1.1->\Programs\myapp\ > logs\05-11-2014\Error.log Error - The process started successfully > > This part is from the OSSEC agent : > > 2014 Nov 05 09:10:02 (w2008) 192.1.1.1-> > > And this part is from the log on the remote server : > > \Programs\myapp\ > logs\05-11-2014\Error.log Error - The process started successfully > > And this part is what is likely processed by the Decoder/Rule (the actual > message): > > Error - The process started successfully > > Thus you should write your rule and decoder to work on that string, does > this help sir? > > > To be honest, we saw a similar issue with OpenVPN logs on 2.7.1 and had to > write the decoder about 3 different times. It all worked in logtest, but > never in production, just as you describe, until we trimmed down what we > were looking for within the log. > > @Dan, does the decoder and logtest work at all differently than a live > event? I stink at digging through source code sir........... >
"It shouldn't." > > > On Wednesday, November 5, 2014 9:21:27 AM UTC-5, dan (ddpbsd) wrote: >> >> On Wed, Nov 5, 2014 at 1:47 AM, <[email protected]> wrote: >> > Hello, >> > >> > I am trying to fix the following problem and no luck yet.. Kindly help >> > me on >> > the following issue. >> > >> > >> > I have the following log stored in windows 2008 in the file called >> > "F:\Programs\myapp\logs\05-11-2014\Error.log" >> > >> > Error - The process cannot access the file 'INST5.txt' because it is >> > being >> > used by another process. >> > >> > The ossec_agent.conf contains the following localfile settings: >> > >> > <localfile> >> > <location>F:\Programs\myapp\logs\05-11-2014\Error.log</location> >> > <log_format>syslog</log_format> >> > </localfile> >> > >> > Then in the server side archives.log I get the log from windows 2008: >> > >> > 2014 Nov 05 09:02:02 (w2008) >> > 192.1.1.1->\Programs\myapp\logs\05-11-2014\Error.log Error - The process >> > cannot access the file 'INST5.txt' because it is being used by another >> > process. >> > >> >> If this is taken straight out of archives.log there is a header >> attached to it. I'd try using the log message as detailed earlier, >> starting with "Error." >> >> > I have written the following decoder in local_decoder.xml: >> > >> > <decoder name="f-error-log"> >> > <type>syslog</type> >> > <prematch>(\d+ \w+ \d+ \d+:\d+:\d+) \(w2008\) </prematch> >> > <regex>\d+ \w+ \d+ \d+:\d+:\d+ \((w2008)\) (\d+.\d+.\d+.\d+)->(\S+) >> > (Error) - (\.+)</regex> >> > <order>system_name,srcip,extra_data,status,extra_data</order> >> > </decoder> >> > >> > And also I have the following rules: >> > >> > <group name="finbridge,"> >> > <rule id="100060" level="0"> >> > <decoded_as>f-error-log</decoded_as> >> > <description>F Error Messages grouped.</description> >> > </rule> >> > >> > <rule id="100061" level="5"> >> > <if_sid>100060</if_sid> >> > <match>Error</match> >> > <description>F Error</description> >> > </rule> >> > >> > When I run ossec-logtest I see the decoders and rules are working >> > properly: >> > >> > **Phase 1: Completed pre-decoding. >> > full event: '2014 Nov 05 09:02:02 (w2008) >> > 192.1.1.1->\Programs\myapp\logs\05-11-2014\Error.log Error - The process >> > cannot access the file 'INST5.txt' because it is being used by another >> > process.' >> > hostname: 'alienvault' >> > program_name: '(null)' >> > log: '2014 Nov 05 09:02:02 (2008) >> > 192.1.1.1->\Programs\myapp\logs\05-11-2014\Error.log Error - The process >> > cannot access the file 'INST5.txt' because it is being used by another >> > process.' >> > >> > **Phase 2: Completed decoding. >> > decoder: 'f-error-log' >> > system_name: 'w2008' >> > srcip: '192.1.1.1' >> > extra_data: '\Programs\myapp\logs\05-11-2014\Error.log' >> > status: 'Error' >> > extra_data: 'The process cannot access the file 'INST5.txt' >> > because >> > it is being used by another process.' >> > >> > **Phase 3: Completed filtering (rules). >> > Rule id: '100061' >> > Level: '5' >> > Description: 'F Error' >> > **Alert to be generated. >> > >> > Then I have restarted ossec service on ossec server and added the >> > following >> > line on "F:\Programs\myapp\logs\05-11-2014\Error.log" to see if I get >> > alerts >> > in alerts.log >> > >> > Error - The process started successfully >> > >> > I can see the above log in archives.log: >> > >> > 2014 Nov 05 09:10:02 (w2008) >> > 192.1.1.1->\Programs\myapp\logs\05-11-2014\Error.log Error - The process >> > started successfully >> > >> > But when I check alerts.log there are no alerts :( >> > >> > I spent couple of hours and double checked the config and etc.. still I >> > cannot see an alert in alerts.log. >> > >> > Thank you in advance. >> > >> > Sathish. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
