On Tue, Nov 17, 2015 at 3:09 AM, Francisco <[email protected]> wrote:
> I'm having trouble with a forward slash present in my log that appears to be
> tripping up my OSSEC decoder.
>
> The following output shows the problem:
>
> [root@ixxx etc]# grep prematch local_decoder.xml
> <prematch>^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\p\d\d:\d\d slot\S*</prematch>
> [root@ixxxx etc]# /var/ossec/bin/ossec-logtest
> 2015/11/17 07:53:28 ossec-testrule: INFO: Reading local decoder file.
> 2015/11/17 07:53:28 ossec-testrule: INFO: Started (pid: 3702).
> ossec-testrule: Type one log per line.
>
> 2015-11-16T15:21:04+00:00 slot1
>
>
> **Phase 1: Completed pre-decoding.
> full event: '2015-11-16T15:21:04+00:00 slot1'
> hostname: 'xxxx'
> program_name: '(null)'
> log: '2015-11-16T15:21:04+00:00 slot1'
>
> **Phase 2: Completed decoding.
> decoder: 'F5'
> 2015-11-16T15:21:04+00:00 slot1/
>
>
> **Phase 1: Completed pre-decoding.
> full event: '2015-11-16T15:21:04+00:00 slot1/'
> hostname: 'xxxxx'
> program_name: '(null)'
> log: '2015-11-16T15:21:04+00:00 slot1/'
>
> **Phase 2: Completed decoding.
> decoder: 'F5'
> 2015-11-16T15:21:04+00:00 slot1/fewfwefwe
>
>
> **Phase 1: Completed pre-decoding.
> full event: '2015-11-16T15:21:04+00:00 slot1/fewfwefwe'
> hostname: 'xxxxxx'
> program_name: '(null)'
> log: 'slot1/fewfwefwe'
>
> **Phase 2: Completed decoding.
> No decoder matched.
>
> 2015-11-16T15:21:04+00:00 slot1/fewfewfwefwef ererer
>
>
> **Phase 1: Completed pre-decoding.
> full event: '2015-11-16T15:21:04+00:00 slot1/fewfewfwefwef ererer'
> hostname: 'slot1/fewfewfwefwef'
> program_name: '(null)'
> log: 'ererer'
>
> **Phase 2: Completed decoding.
> No decoder matched.
>
>
> The output above is also here:
> http://pastebin.com/jVjmFFb3
>
> I've tried setting slot1/$HOSTNAME as part of the decoder (for testing).
>
> I've also tried writing a regex specifically for the host name format
> (slot\d/\w+\d\w\d\w+) and it still didn't work.
>
> No matter what I can't seem to get the log which starts with
> "2015-11-17T05:22:05+00:00 slot1/$HOSTNAME err httpd[16716]"
>
> Any ideas what I'm doing wrong?
>
I don't think you're doing anything wrong really. OSSEC just
interprets the two log messages differently.
No slash:
# cat /tmp/yyy | /var/ossec/bin/ossec-logtest
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '2015-11-16T15:21:04+00:00 slot1'
hostname: 'ix'
program_name: '(null)'
log: '2015-11-16T15:21:04+00:00 slot1'
**Phase 2: Completed decoding.
No decoder matched.
Notice the "log:" line.
Now, with the slash:
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '2015-11-16T15:21:04+00:00 slot1/fewfwefwe'
hostname: 'ix'
program_name: '(null)'
log: 'slot1/fewfwefwe'
**Phase 2: Completed decoding.
No decoder matched.
Notice how the log line is different? Without digging into the source,
I can't say why it sees these logs so differently. This decoder seems
to work for both though:
<decoder name="f5">
<prematch>^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\p\d\d:\d\d
slot|^slot\S</prematch>
</decoder>
> Regards,
> -Francisco
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
