The best way to get help from us would be to post a sample log from OSSEC. You're going to want to move your custom decoder from decoder.xml to local_decoder.xml so it won't be overwritten during an upgrade.
My process for writing custom decoders is to open two shells to your ossec server. One with your text editor editing local_decoder.xml and one ready to re-launch ossec-logtest. And then pull up this a few reference pages.. http://ossec-docs.readthedocs.org/en/latest/syntax/regex.html - http://ossec-docs.readthedocs.org/en/latest/manual/rules-decoders/create-custom.html - Start small and build from there. Get the logtest working on Phase 2 of the decoding and pull out one attribute. Right now you don't have a matching number of attributes (items listed in the <order> section vs what you have in parenthesis) for you decoder. It should look something like this assuming srcip in your log is a ipv4 address.. (untested!) Once you can pull out an attribute, such as srcip, then build on the next one and test.. <decoder name="logger-client"> <parent>logger</parent> <prematch offset="after_parent">^#~#~#LOGGER</prematch> <regex>^#~#~#(\d+.\d+.\d+.\d+)#~#~#\.+#~#~#\.+#~#~#\.+#~#~#\.+#~#~#\.+#~#~#\.+#~#~#\.+#~#~#\.+#~#~#\.+#~#~#</regex> <order>srcip</order> </decoder> Remember to use the wild cards referenced on the OSSEC implementation of regex. - * \.* vs *\.** vs *\.*+ all mean different things to OSSEC. I'd be happy to help if you post a sample log. Sanitize it, but don't censor it with ellipses please. On Monday, June 1, 2015 at 2:21:26 AM UTC-7, Chandrakant Solanki wrote: > > Hello All, > > I have one Java process which is running as daemon, on some TCP/IP port. > Now I would like to find out particular line (which is pre-formatted) from > application's log file. > e.g. #~#~#LOGGER#~#~#....#~#~#..................#~#~# > > When above line will found into log, it should mail me and execute one > shell script. > > I have tried with below configuration on client side. (ossec agent) > > ossec.conf > ... > <localfile> > <log_format>syslog</log_format> > <location>/var/log/application/processor.log</location> > </localfile> > ... > > decoder.xml > ... > <decoder name="logger"> > <program_name>java</program_name> > </decoder> > > <decoder name="logger-client"> > <parent>logger</parent> > <prematch offset="after_parent">^#~#~#LOGGER</prematch> > > <regex>^#~#~#(\.)#~#~#(\.)#~#~#(\.)#~#~#(\.)#~#~#(\.)#~#~#(\.)#~#~#(\.)#~#~#(\.)#~#~#(\.)#~#~#(\.)#~#~#</regex> > <order>srcip</order> > </decoder> > ... > > local_rules.xml > > <group name="syslog"> > <rule id="700005" level="0"> > <decoded_as>logger</decoded_as> > <description>Custom LOGGER Found</description> > </rule> > </group> > > Please help me out. > > Thanks, > > Chandrakant Solanki > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
