On Tue, Feb 3, 2015 at 11:11 PM, Kiến Thức Phan <[email protected]> wrote:
> Hi all,
>
> I have a log:
>
>> May 21 10:24:54 niban useradd[6070]: new group: name=test, gid=5006
>> May 28 10:48:29 niban useradd[32421]: new group: name=logr, gid=12000
>
>
> And my decoder:
>>
>> <decoder name="niban">
>> <prematch>^\w+ \d+ \d\d:\d\d:\d\d \w+ niban</prematch>
>> </decoder>
>
>
> I use ossec-logtest debug, my result: No decoder match. What did I do wrong?
> Thanks in advance
>
All right, let's walk through this. First run the log through ossec-logtest:
[root@localhost Downloads]# /var/ossec/bin/ossec-logtest
2015/02/04 07:49:35 ossec-testrule: INFO: Reading local decoder file.
May 28 10:48:29 niban useradd[32421]: new group: name=logr,
gid=120002015/02/04 07:49:35 ossec-testrule: INFO: Started (pid:
12334).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'May 28 10:48:29 niban useradd[32421]: new group:
name=logr, gid=12000'
hostname: 'niban'
program_name: 'useradd'
log: 'new group: name=logr, gid=12000'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '5901'
Level: '8'
Description: 'New group added to the system'
**Alert to be generated.
So there is no decoder, but it does match a rule. That's a good start,
hopefully we can create a decoder without causing a regression.
To create the decoder we need to look at the log message, without the
syslog headers. Luckily, ossec-logtest gives us the log:
log: 'new group: name=logr, gid=12000'
Starting there we can start creating our decoder. I don't know what
information you're trying to get out of this, your generic decoder
doesn't provide much for me, so I'm taking some liberties.
<decoder name="niban">
<program_name>useradd</program_name> <!-- this is decoded for us,
might as well use it -->
</decoder>
<decoder name="niban2">
<parent>niban</parent>
<prematch>^new group: </prematch>
<regex offset="after_prematch">^name=(\S+), gid=(\d+)</regex>
<order>user, extra_data</order> <!-- I'm not sure what the best
fiends to use are -->
</decoder>
And running ossec-logtest after adding these to
/var/ossec/etc/local_decoder.xml:
[root@localhost Downloads]# /var/ossec/bin/ossec-logtest
2015/02/04 07:55:59 ossec-testrule: INFO: Reading local decoder file.
2015/02/04 07:55:59 ossec-testrule: INFO: Started (pid: 24288).
ossec-testrule: Type one log per line.
May 28 10:48:29 niban useradd[32421]: new group: name=logr,
gid=120002015/02/04 07:49:35 ossec-testrule: INFO: Started (pid:
12334).
**Phase 1: Completed pre-decoding.
full event: 'May 28 10:48:29 niban useradd[32421]: new group:
name=logr, gid=120002015/02/04 07:49:35 ossec-testrule: INFO: Started
(pid: 12334).'
hostname: 'niban'
program_name: 'useradd'
log: 'new group: name=logr, gid=120002015/02/04 07:49:35
ossec-testrule: INFO: Started (pid: 12334).'
**Phase 2: Completed decoding.
decoder: 'niban'
dstuser: 'logr'
extra_data: '120002015'
**Phase 3: Completed filtering (rules).
Rule id: '5901'
Level: '8'
Description: 'New group added to the system'
**Alert to be generated.
> ThucPK
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
