Hi
Thanks for reply.
Here, I have pasted some logs for your reference, which is from 2 different
applications
==================================================
5ceb44f6-0a9f-11e5-be EXECUTE xxx/xxxx/xxxxxx log(INFO
#~#~#LOGGER#~#~#data#~#~#data#~#~#my uniqueid
#~#~#CRITICAL#~#~#PSTN#~#~#some data#~#~#response data#~#~#other details
#~#~#my_hostname#~#~#)
5ceb44f6-0a9f-11e5-be EXECUTE xxx/xxxx/xxxxxx log(INFO
#~#~#LOGGER#~#~#data#~#~#data#~#~#my uniqueid
#~#~#CRITICAL#~#~#PSTN#~#~#some data#~#~#response data#~#~#other details
#~#~#my_hostname#~#~#)
5ceb44f6-0a9f-11e5-be EXECUTE xxx/xxxx/xxxxxx log(INFO
#~#~#LOGGER#~#~#data#~#~#data#~#~#my uniqueid
#~#~#CRITICAL#~#~#PSTN#~#~#some data#~#~#response data#~#~#other details
#~#~#my_hostname#~#~#)
[2015/06/01
14:51:34][ERROR]com.application.resource.MessageSendResource:[qtp392918519-16]-sendMessage-
156-
#~#~#LOGGER#~#~#data#~#~#data#~#~#NONE#~#~#CRITICAL#~#~#PROCESSOR#~#~#request
URL#~#~#errorCode::ERR0000desc::Internal server errorstatus::
400#~#~#com.application.exception.Exception: ERR0000+ at
com.application.core.persistance.DBAccessManagerImpl.storeShortMessage(DBAccessManagerImpl.java:466)+
at
com.application.core.service.MessageSendService.sendMessage(MessageSendService.java:178)+
at
com.application.resource.MessageSendResource.sendMessage(MessageSendResource.java:140)+
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)+ at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)+
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)+
at java.lang.reflect.Method.invoke(Method.java:497)+ at
org.restlet.ext.jaxrs.internal.wrappers.AbstractMethodWrapper.internalInvoke(AbstractMethodWrapper.java:162)+
at
org.restlet.ext.jaxrs.internal.wrappers.ResourceMethod.invoke(ResourceMethod.java:283)+
at
org.restlet.ext.jaxrs.JaxRsRestlet.invokeMethod(JaxRsRestlet.java:996)+
at org.restlet.ext.jaxrs.JaxRsRestlet.handle(JaxRsRestlet.java:745)+ at
org.restlet.routing.Filter.doHandle(Filter.java:150)+ at
org.restlet.routing.Filter.handle(Filter.java:197)+ at
org.restlet.routing.Filter.doHandle(Filter.java:150)+ at
org.restlet.routing.Filter.handle(Filter.java:197)+ at
org.restlet.routing.Router.doHandle(Router.java:422)+ at
org.restlet.routing.Router.handle(Router.java:639)+ at
org.restlet.routing.Filter.doHandle(Filter.java:150)+ at
org.restlet.routing.Filter.handle(Filter.java:197)+ at
org.restlet.routing.Filter.doHandle(Filter.java:150)+ at
org.restlet.routing.Filter.handle(Filter.java:197)+ at
org.restlet.routing.Filter.doHandle(Filter.java:150)+ at
org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:140)+
at org.restlet.routing.Filter.handle(Filter.java:197)+ at
org.restlet.routing.Filter.doHandle(Filter.java:150)+ at
org.restlet.routing.Filter.handle(Filter.java:197)+ at
org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)+ at
org.restlet.engine.application.ApplicationHelper.handle(ApplicationHelper.java:75)+
at org.restlet.Application.handle(Application.java:385)+ at
org.restlet.routing.Filter.doHandle(Filter.java:150)+ at
org.restlet.routing.Filter.handle(Filter.java:197)+ at
org.restlet.routing.Router.doHandle(Router.java:422)+ at
org.restlet.routing.Router.handle(Router.java:639)+ at
org.restlet.routing.Filter.doHandle(Filter.java:150)+ at
org.restlet.routing.Filter.handle(Filter.java:197)+ at
org.restlet.routing.Router.doHandle(Router.java:422)+ at
org.restlet.routing.Router.handle(Router.java:639)+ at
org.restlet.routing.Filter.doHandle(Filter.java:150)+ at
org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:140)+
at org.restlet.routing.Filter.handle(Filter.java:197)+ at
org.restlet.routing.Filter.doHandle(Filter.java:150)+ at
org.restlet.routing.Filter.handle(Filter.java:197)+ at
org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)+ at
org.restlet.Component.handle(Component.java:408)+ at
org.restlet.Server.handle(Server.java:507)+ at
org.restlet.engine.connector.ServerHelper.handle(ServerHelper.java:63)+
at
org.restlet.engine.adapter.HttpServerHelper.handle(HttpServerHelper.java:143)+
at
org.restlet.ext.jetty.JettyServerHelper$WrappedServer.handle(JettyServerHelper.java:273)+
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:313)+ at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:248)+
at
org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)+
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:626)+
at
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:546)+
at java.lang.Thread.run(Thread.java:745)+#~#~#hostname_application#~#~#
==================================================
On Tuesday, June 2, 2015 at 9:18:26 PM UTC+5:30, Brent Morris wrote:
>
> The best way to get help from us would be to post a sample log from OSSEC.
>
> You're going to want to move your custom decoder from decoder.xml to
> local_decoder.xml so it won't be overwritten during an upgrade.
>
> My process for writing custom decoders is to open two shells to your ossec
> server. One with your text editor editing local_decoder.xml and one ready
> to re-launch ossec-logtest. And then pull up this a few reference pages..
> http://ossec-docs.readthedocs.org/en/latest/syntax/regex.html -
> http://ossec-docs.readthedocs.org/en/latest/manual/rules-decoders/create-custom.html
>
> - Start small and build from there. Get the logtest working on Phase 2
> of the decoding and pull out one attribute. Right now you don't have a
> matching number of attributes (items listed in the <order> section vs what
> you have in parenthesis) for you decoder. It should look something like
> this assuming srcip in your log is a ipv4 address.. (untested!)
>
> Once you can pull out an attribute, such as srcip, then build on the next
> one and test..
>
> <decoder name="logger-client">
> <parent>logger</parent>
> <prematch offset="after_parent">^#~#~#LOGGER</prematch>
>
> <regex>^#~#~#(\d+.\d+.\d+.\d+)#~#~#\.+#~#~#\.+#~#~#\.+#~#~#\.+#~#~#\.+#~#~#\.+#~#~#\.+#~#~#\.+#~#~#\.+#~#~#</regex>
> <order>srcip</order>
> </decoder>
>
> Remember to use the wild cards referenced on the OSSEC implementation of
> regex. - * \.* vs *\.** vs *\.*+ all mean different things to OSSEC.
>
> I'd be happy to help if you post a sample log. Sanitize it, but don't
> censor it with ellipses please.
>
>
>
>
>
>
> On Monday, June 1, 2015 at 2:21:26 AM UTC-7, Chandrakant Solanki wrote:
>>
>> Hello All,
>>
>> I have one Java process which is running as daemon, on some TCP/IP port.
>> Now I would like to find out particular line (which is pre-formatted)
>> from application's log file.
>> e.g. #~#~#LOGGER#~#~#....#~#~#..................#~#~#
>>
>> When above line will found into log, it should mail me and execute one
>> shell script.
>>
>> I have tried with below configuration on client side. (ossec agent)
>>
>> ossec.conf
>> ...
>> <localfile>
>> <log_format>syslog</log_format>
>> <location>/var/log/application/processor.log</location>
>> </localfile>
>> ...
>>
>> decoder.xml
>> ...
>> <decoder name="logger">
>> <program_name>java</program_name>
>> </decoder>
>>
>> <decoder name="logger-client">
>> <parent>logger</parent>
>> <prematch offset="after_parent">^#~#~#LOGGER</prematch>
>>
>> <regex>^#~#~#(\.)#~#~#(\.)#~#~#(\.)#~#~#(\.)#~#~#(\.)#~#~#(\.)#~#~#(\.)#~#~#(\.)#~#~#(\.)#~#~#(\.)#~#~#</regex>
>> <order>srcip</order>
>> </decoder>
>> ...
>>
>> local_rules.xml
>>
>> <group name="syslog">
>> <rule id="700005" level="0">
>> <decoded_as>logger</decoded_as>
>> <description>Custom LOGGER Found</description>
>> </rule>
>> </group>
>>
>> Please help me out.
>>
>> Thanks,
>>
>> Chandrakant Solanki
>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
