On Jul 9, 2015 10:52 AM, "repquota" <[email protected]> wrote: > > Hi, > I have a problem with log format in ossec server. My configuration is simple, I have a ossec agent on my linux PC which sends syslog massages to ossec server. Configuration on ossec agent below: > > <ossec_config> > > <client> > > <server-ip>172.30.1.22</server-ip> > > </client> > > <syslog_output> > > <server>172.30.1.22</server> > > <port>514</port> > > </syslog_output> > > <localfile> > > <log_format>syslog</log_format> > > <location>/var/log/messages</location> > > </localfile> > > <localfile> > > <log_format>syslog</log_format> > > <location>/var/log/auth.log</location> > > </localfile> > > <localfile> > > <log_format>syslog</log_format> > > <location>/var/log/mail.log</location> > > </localfile> > > <localfile> > > <log_format>syslog</log_format> > > <location>/var/log/audit/audit.log</location> > > </localfile> > > </ossec_config> > > > on ossec server is: > > > <remote> > > <connection>syslog</connection> > > <allowed-ips>172.30.1.0/24</allowed-ips> > > <local_ip>172.30.1.22</local_ip> > > <port>514</port> > > <protocol>udp</protocol> > > </remote> > > > > and my log format in archive.log is: > > > 2015 Jul 09 15:57:07 (proxy) 172.30.1.74->/var/log/auth.log Jul 9 15:57:07 proxy usermod[13639]: new group: name=test, GID=1011 > > > where 172.30.1.74 is my Linux PC > > > and here I had a problem with decoder, because i create my own custom which is not working. > > > Here is my template: > > > <decoder name="usermod"> > > <prematch>\.*usermod</prematch> > > </decoder> > > > when I testing by /var/ossec/bin/ossec-logtest > I have something like this: > > ossec-testrule: Type one log per line. > > 2015 Jul 09 15:57:07 (pciproxy) 172.30.1.74->/var/log/auth.log Jul 9 15:57:07 proxy usermod[13639]: new group: name=test, GID=1011 > > > **Phase 1: Completed pre-decoding. > full event: '2015 Jul 09 15:57:07 (pciproxy) 172.30.1.74->/var/log/auth.log Jul 9 15:57:07 proxy usermod[13639]: new group: name=test, GID=1011' > hostname: 'pciossec' > program_name: '(null)' > log: '2015 Jul 09 15:57:07 (pciproxy) 172.30.1.74->/var/log/auth.log Jul 9 15:57:07 proxy usermod[13639]: new group: name=test, GID=1011' > > **Phase 2: Completed decoding. > No decoder matched. > > > > but when I paste only "Jul 9 15:57:07 proxy usermod[13639]: new group: name=test, GID=1011" everything working properly > > Jul 9 15:57:07 proxy usermod[13639]: new group: name=dupa, GID=1011 > > > **Phase 1: Completed pre-decoding. > full event: 'Jul 9 15:57:07 proxy usermod[13639]: new group: name=dupa, GID=1011' > hostname: 'proxy' > program_name: 'usermod' > log: 'new group: name=dupa, GID=1011' > > **Phase 2: Completed decoding. > No decoder matched. > > **Phase 3: Completed filtering (rules). > Rule id: '5901' > Level: '8' > Description: 'New group added to the system' > **Alert to be generated. > > someone had a problem with that? > >
The log message that OSSEC looks at for analysis is the one without the extra header (everything before Jul). So the second logtest attempt is the one closest to reality. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
