Hi Dan, I try use <program_name> directive but is the same situation. Do you have any idea ?
W dniu czwartek, 9 lipca 2015 17:44:04 UTC+2 użytkownik dan (ddpbsd) napisał: > > OSSEC only outputs to the archives.log file. It does not read it, so the > header is inconsequential. > Looking over it again (not fun on a phone), it looks like the problem is > your decoder is wrong. Usermod isn't in the log message, it's in the meta > data. Try<program_name>^usermod </program_name> > Instead. > I dont use any additional application which can use to filter, I want to > do simple alarm in ossec when somebody create group for example or add user > to group on linux > > W dniu czwartek, 9 lipca 2015 17:20:34 UTC+2 użytkownik dan (ddpbsd) > napisał: >> >> >> On Jul 9, 2015 11:17 AM, "repquota" <[email protected]> wrote: >> > >> > Dan I understand but it is possible to remove this header ? >> > >> >> There is nonway for OSSEC to not include this header without modifying >> the source. Perhaps whatever application you're feeding the archives.log >> file into can filter it out? >> >> > W dniu czwartek, 9 lipca 2015 17:06:02 UTC+2 użytkownik dan (ddpbsd) >> napisał: >> >> >> >> >> >> On Jul 9, 2015 10:52 AM, "repquota" <[email protected]> wrote: >> >> > >> >> > Hi, >> >> > I have a problem with log format in ossec server. My configuration >> is simple, I have a ossec agent on my linux PC which sends syslog massages >> to ossec server. Configuration on ossec agent below: >> >> > >> >> > <ossec_config> >> >> > >> >> > <client> >> >> > >> >> > <server-ip>172.30.1.22</server-ip> >> >> > >> >> > </client> >> >> > >> >> > <syslog_output> >> >> > >> >> > <server>172.30.1.22</server> >> >> > >> >> > <port>514</port> >> >> > >> >> > </syslog_output> >> >> > >> >> > <localfile> >> >> > >> >> > <log_format>syslog</log_format> >> >> > >> >> > <location>/var/log/messages</location> >> >> > >> >> > </localfile> >> >> > >> >> > <localfile> >> >> > >> >> > <log_format>syslog</log_format> >> >> > >> >> > <location>/var/log/auth.log</location> >> >> > >> >> > </localfile> >> >> > >> >> > <localfile> >> >> > >> >> > <log_format>syslog</log_format> >> >> > >> >> > <location>/var/log/mail.log</location> >> >> > >> >> > </localfile> >> >> > >> >> > <localfile> >> >> > >> >> > <log_format>syslog</log_format> >> >> > >> >> > <location>/var/log/audit/audit.log</location> >> >> > >> >> > </localfile> >> >> > >> >> > </ossec_config> >> >> > >> >> > >> >> > on ossec server is: >> >> > >> >> > >> >> > <remote> >> >> > >> >> > <connection>syslog</connection> >> >> > >> >> > <allowed-ips>172.30.1.0/24</allowed-ips> >> >> > >> >> > <local_ip>172.30.1.22</local_ip> >> >> > >> >> > <port>514</port> >> >> > >> >> > <protocol>udp</protocol> >> >> > >> >> > </remote> >> >> > >> >> > >> >> > >> >> > and my log format in archive.log is: >> >> > >> >> > >> >> > 2015 Jul 09 15:57:07 (proxy) 172.30.1.74->/var/log/auth.log Jul 9 >> 15:57:07 proxy usermod[13639]: new group: name=test, GID=1011 >> >> > >> >> > >> >> > where 172.30.1.74 is my Linux PC >> >> > >> >> > >> >> > and here I had a problem with decoder, because i create my own >> custom which is not working. >> >> > >> >> > >> >> > Here is my template: >> >> > >> >> > >> >> > <decoder name="usermod"> >> >> > >> >> > <prematch>\.*usermod</prematch> >> >> > >> >> > </decoder> >> >> > >> >> > >> >> > when I testing by /var/ossec/bin/ossec-logtest >> >> > I have something like this: >> >> > >> >> > ossec-testrule: Type one log per line. >> >> > >> >> > 2015 Jul 09 15:57:07 (pciproxy) 172.30.1.74->/var/log/auth.log Jul >> 9 15:57:07 proxy usermod[13639]: new group: name=test, GID=1011 >> >> > >> >> > >> >> > **Phase 1: Completed pre-decoding. >> >> > full event: '2015 Jul 09 15:57:07 (pciproxy) >> 172.30.1.74->/var/log/auth.log Jul 9 15:57:07 proxy usermod[13639]: new >> group: name=test, GID=1011' >> >> > hostname: 'pciossec' >> >> > program_name: '(null)' >> >> > log: '2015 Jul 09 15:57:07 (pciproxy) >> 172.30.1.74->/var/log/auth.log Jul 9 15:57:07 proxy usermod[13639]: new >> group: name=test, GID=1011' >> >> > >> >> > **Phase 2: Completed decoding. >> >> > No decoder matched. >> >> > >> >> > >> >> > >> >> > but when I paste only "Jul 9 15:57:07 proxy usermod[13639]: new >> group: name=test, GID=1011" everything working properly >> >> > >> >> > Jul 9 15:57:07 proxy usermod[13639]: new group: name=dupa, GID=1011 >> >> > >> >> > >> >> > **Phase 1: Completed pre-decoding. >> >> > full event: 'Jul 9 15:57:07 proxy usermod[13639]: new group: >> name=dupa, GID=1011' >> >> > hostname: 'proxy' >> >> > program_name: 'usermod' >> >> > log: 'new group: name=dupa, GID=1011' >> >> > >> >> > **Phase 2: Completed decoding. >> >> > No decoder matched. >> >> > >> >> > **Phase 3: Completed filtering (rules). >> >> > Rule id: '5901' >> >> > Level: '8' >> >> > Description: 'New group added to the system' >> >> > **Alert to be generated. >> >> > >> >> > someone had a problem with that? >> >> > >> >> > >> >> >> >> The log message that OSSEC looks at for analysis is the one without >> the extra header (everything before Jul). So the second logtest attempt is >> the one closest to reality. >> >> >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected]. >> >> >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
