[ossec-list] Custom Rule

Mon, 20 Jul 2015 02:09:07 -0700 

Good morning,

I've prepare a custom rule for Ubuntu servers that I've monitorized.

I've créate the local_rule.XML, decoder_xml on server side

decoder_xml
<!-- Parches para ubuntu -->
<decoder name="ubuntu-patches">
 <prematch>^\d\d\d\d.\d\d.\d\d \d\d:\d\d:\d\d PARCHES</prematch>
</decoder>
<decoder name="ubuntu-patches-warn">
        <parent>ubuntu-patches</parent>
        <regex offset="after_parent">WARN;(\w+);(\w+);(\w+);(\d+)</regex>
        <order>srcip,url,action,extra_data</order>
</decoder>


ossec.conf

<!-- Nivel de parcheo de servidores -->
<localfile>
        <log_format>syslog</log_format>
        <location>/var/log/parchespendientes.log</location>
</localfile>

local_rules.XML

  <group name="ubuntu-patches">
                <rule id="900001" level="0">
                        <decoded_as>ubuntu-patches</decoded_as>
                        <description>Parches pendientes</description>
                </rule>
                <rule id="900002" level="9">
                        <if_sid>900001</if_sid>
                        <action>parches</action>
                        <description>Parches pendientes</description>
                </rule>
                 <rule id="900003" level="11">
                        <if_sid>900001</if_sid>
                        <action>security</action>
                        <description>Parches de Seguridad 
pendientes</description>
                </rule>
        </group>


Logtest

**Phase 1: Completed pre-decoding.
       full event: '2015.07.20 09:42:08 PARCHES 
WARN;BAE-I-WEB2D;Parches;security;3'
       hostname: 'BAE-I-MT1'
       program_name: '(null)'
       log: '2015.07.20 09:42:08 PARCHES 
WARN;BAE-I-WEB2D;Parches;security;3'
**Phase 2: Completed decoding.
       decoder: 'ubuntu-patches'
       srcip: 'BAE-I-WEB2D'
       url: 'Parches'
       action: 'security'
       extra_data: '3'
**Phase 3: Completed filtering (rules).
       Rule id: '900003'
       Level: '11'
       Description: 'Parches de Seguridad pendientes'
**Alert to be generated.


I've restart the ossec-control server and on client-side I've update the 
log but the alert doesnt apper. Which could be the problem?

regards 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to