Hi,
I have a problem with log format in ossec server. My configuration is
simple, I have a ossec agent on my linux PC which sends syslog massages to
ossec server. Configuration on ossec agent below:
<ossec_config>
<client>
<server-ip>172.30.1.22</server-ip>
</client>
<syslog_output>
<server>172.30.1.22</server>
<port>514</port>
</syslog_output>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/mail.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/audit/audit.log</location>
</localfile>
</ossec_config>
on ossec server is:
<remote>
<connection>syslog</connection>
<allowed-ips>172.30.1.0/24</allowed-ips>
<local_ip>172.30.1.22</local_ip>
<port>514</port>
<protocol>udp</protocol>
</remote>
and my log format in archive.log is:
2015 Jul 09 15:57:07 (proxy) 172.30.1.74->/var/log/auth.log Jul 9 15:57:07
proxy usermod[13639]: new group: name=test, GID=1011
where 172.30.1.74 is my Linux PC
and here I had a problem with decoder, because i create my own custom which
is not working.
Here is my template:
<decoder name="usermod">
<prematch>\.*usermod</prematch>
</decoder>
when I testing by /var/ossec/bin/ossec-logtest
I have something like this:
ossec-testrule: Type one log per line.
2015 Jul 09 15:57:07 (pciproxy) 172.30.1.74->/var/log/auth.log Jul 9
15:57:07 proxy usermod[13639]: new group: name=test, GID=1011
**Phase 1: Completed pre-decoding.
full event: '2015 Jul 09 15:57:07 (pciproxy)
172.30.1.74->/var/log/auth.log Jul 9 15:57:07 proxy usermod[13639]: new
group: name=test, GID=1011'
hostname: 'pciossec'
program_name: '(null)'
log: '2015 Jul 09 15:57:07 (pciproxy) 172.30.1.74->/var/log/auth.log
Jul 9 15:57:07 proxy usermod[13639]: new group: name=test, GID=1011'
**Phase 2: Completed decoding.
No decoder matched.
but when I paste only "Jul 9 15:57:07 proxy usermod[13639]: new group:
name=test, GID=1011" everything working properly
Jul 9 15:57:07 proxy usermod[13639]: new group: name=dupa, GID=1011
**Phase 1: Completed pre-decoding.
full event: 'Jul 9 15:57:07 proxy usermod[13639]: new group:
name=dupa, GID=1011'
hostname: 'proxy'
program_name: 'usermod'
log: 'new group: name=dupa, GID=1011'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '5901'
Level: '8'
Description: 'New group added to the system'
**Alert to be generated.
someone had a problem with that?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
