Dan I understand but it is possible to remove this header ? W dniu czwartek, 9 lipca 2015 17:06:02 UTC+2 użytkownik dan (ddpbsd) napisał: > > > On Jul 9, 2015 10:52 AM, "repquota" <[email protected] <javascript:>> > wrote: > > > > Hi, > > I have a problem with log format in ossec server. My configuration is > simple, I have a ossec agent on my linux PC which sends syslog massages to > ossec server. Configuration on ossec agent below: > > > > <ossec_config> > > > > <client> > > > > <server-ip>172.30.1.22</server-ip> > > > > </client> > > > > <syslog_output> > > > > <server>172.30.1.22</server> > > > > <port>514</port> > > > > </syslog_output> > > > > <localfile> > > > > <log_format>syslog</log_format> > > > > <location>/var/log/messages</location> > > > > </localfile> > > > > <localfile> > > > > <log_format>syslog</log_format> > > > > <location>/var/log/auth.log</location> > > > > </localfile> > > > > <localfile> > > > > <log_format>syslog</log_format> > > > > <location>/var/log/mail.log</location> > > > > </localfile> > > > > <localfile> > > > > <log_format>syslog</log_format> > > > > <location>/var/log/audit/audit.log</location> > > > > </localfile> > > > > </ossec_config> > > > > > > on ossec server is: > > > > > > <remote> > > > > <connection>syslog</connection> > > > > <allowed-ips>172.30.1.0/24</allowed-ips> > > > > <local_ip>172.30.1.22</local_ip> > > > > <port>514</port> > > > > <protocol>udp</protocol> > > > > </remote> > > > > > > > > and my log format in archive.log is: > > > > > > 2015 Jul 09 15:57:07 (proxy) 172.30.1.74->/var/log/auth.log Jul 9 > 15:57:07 proxy usermod[13639]: new group: name=test, GID=1011 > > > > > > where 172.30.1.74 is my Linux PC > > > > > > and here I had a problem with decoder, because i create my own custom > which is not working. > > > > > > Here is my template: > > > > > > <decoder name="usermod"> > > > > <prematch>\.*usermod</prematch> > > > > </decoder> > > > > > > when I testing by /var/ossec/bin/ossec-logtest > > I have something like this: > > > > ossec-testrule: Type one log per line. > > > > 2015 Jul 09 15:57:07 (pciproxy) 172.30.1.74->/var/log/auth.log Jul 9 > 15:57:07 proxy usermod[13639]: new group: name=test, GID=1011 > > > > > > **Phase 1: Completed pre-decoding. > > full event: '2015 Jul 09 15:57:07 (pciproxy) > 172.30.1.74->/var/log/auth.log Jul 9 15:57:07 proxy usermod[13639]: new > group: name=test, GID=1011' > > hostname: 'pciossec' > > program_name: '(null)' > > log: '2015 Jul 09 15:57:07 (pciproxy) > 172.30.1.74->/var/log/auth.log Jul 9 15:57:07 proxy usermod[13639]: new > group: name=test, GID=1011' > > > > **Phase 2: Completed decoding. > > No decoder matched. > > > > > > > > but when I paste only "Jul 9 15:57:07 proxy usermod[13639]: new group: > name=test, GID=1011" everything working properly > > > > Jul 9 15:57:07 proxy usermod[13639]: new group: name=dupa, GID=1011 > > > > > > **Phase 1: Completed pre-decoding. > > full event: 'Jul 9 15:57:07 proxy usermod[13639]: new group: > name=dupa, GID=1011' > > hostname: 'proxy' > > program_name: 'usermod' > > log: 'new group: name=dupa, GID=1011' > > > > **Phase 2: Completed decoding. > > No decoder matched. > > > > **Phase 3: Completed filtering (rules). > > Rule id: '5901' > > Level: '8' > > Description: 'New group added to the system' > > **Alert to be generated. > > > > someone had a problem with that? > > > > > > The log message that OSSEC looks at for analysis is the one without the > extra header (everything before Jul). So the second logtest attempt is the > one closest to reality. > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
