On Tue, Jun 14, 2016 at 7:39 AM, Jacob Mcgrath
<[email protected]> wrote:
> I have tried something different and used logger to push server ping
> failures to the /var/log/message. I do see this when I grep the Ossec
> archive.
>
> 2016 Jun 13 23:30:22 alamo->/var/log/messages alamo logger: ServPing Domain
> DC01 down
>
It's odd that there is no timestamp on the message (2016 Jun 13
23:30:22 alamo->/var/log/messages is a header added by OSSEC).
'logger -t' can sometimes let you set the "program name" in the log message.
> So this works but I can not seam to get past phase one pre decoding:
>
> hostname 'alamo'
> program_name 'logger'
> log 'ServPing Domain DC01 down'
>
> Tried to adjust these decoders as so but still no phase two..thought maby
> this log is already a child of another but debug didn't yeild much of
> anything.
>
> <decoder name="servping">
> <prematch>^ServPing </prematch>
> </decoder>
My logger/syslog adds a timestamp to the event, so I would have
"logger" as the program_name.
This is what I get with ossec-logtest:
ossec-testrule: Type one log per line.
alamo logger: ServPing Domain DC01 down
**Phase 1: Completed pre-decoding.
full event: 'alamo logger: ServPing Domain DC01 down'
hostname: 'ix'
program_name: '(null)'
log: 'alamo logger: ServPing Domain DC01 down'
**Phase 2: Completed decoding.
No decoder matched.
Using the decoder:
<decoder name="servping">
<prematch>ServPing</prematch> <!-- Notice how this is not at the
beginning, so the ^ is wrong-->
</decoder>
gets me this:
alamo logger: ServPing Domain DC01 down
**Phase 1: Completed pre-decoding.
full event: 'alamo logger: ServPing Domain DC01 down'
hostname: 'ix'
program_name: '(null)'
log: 'alamo logger: ServPing Domain DC01 down'
**Phase 2: Completed decoding.
decoder: 'servping'
I didn't do any testing past that.
>
> <decoder name="servping-all">
> <parent>servping</parent>
> <regex offset="after_parent">(\w+) (\w+) (\w+)</regex>
> <order>id,dstip,action,</order>
> </decoder>
>
>
>
> On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote:
>>
>> Was wondering on the best route/option to accomplish this?
>>
>>
>> (similar to the USB storage detection)
>>
>> Was thinking about a batch or bash that would ping servers from a list to
>> a file. That every so many minute this
>> file would be overwritten with the new results.
>>
>> If the results "differ" from the last log the alert would be triggered.
>>
>>
>> (other option)
>>
>> Run script as scheduled task, write to log then monitor log like a syslog.
>> Regex for the failed pings. Then alerts.
>>
>>
>> Curious if any had tried and found either way better?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
