On Tue, Sep 4, 2018 at 8:10 AM Don_Johny <[email protected]> wrote:
>
> I started with this but no succes so far.
> <decoder name="test">
> <prematch>$BAD WORDS: </prematch>
> </decoder>
>
> <decoder name="syslog">
> <parent>test</parent>
> <prematch offset="after_parent">ERROR</prematch>
> <regex offset="after_parent">(\S+)</regex>
> <order>extra_data</order>
> </decoder>
>
The log message is odd, but here's how you mess with it.
I'm running a post-3.0 system/pre-3.0 rule set, so not everything will
be exactly as you see it.
If you don't need that "extra_data" for active responses or other
rules or anything, just create a rule to match on it.
Simply using an `<if_sid>1002</if_sid>` will get you most of the way.
The 2 rules do some naive matching to create an alert for that log
message:
<rule id="404040" level="1">
<if_sid>1002</if_sid>
<regex>^\d\d\d\d-\d\d-\d\d WARN</regex>
<description>match on basic format</description>
</rule>
<rule id="404041" level="5">
<if_sid>404040</if_sid>
<match>ERROR</match>
<description>funky error stuff</description>
</rule>
**Phase 1: Completed pre-decoding.
full event: '2018-09-03 WARN test 2018-09-03 ERROR test text'
hostname: 'ix'
program_name: '(null)'
log: '2018-09-03 WARN test 2018-09-03 ERROR test text'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '404041'
Level: '5'
Description: 'funky error stuff'
**Alert to be generated.
If you want that extra_data to be filled though, you'll have to write a decoder.
Start with seeing how it is currently decoded (/tmp/log just contains
the log message):
ix# cat /tmp/log; cat /tmp/log | /var/ossec/bin/ossec-logtest -q
2018-09-03 WARN test 2018-09-03 ERROR test text
2018/09/12 06:52:44 ossec-testrule: INFO: Reading the lists file:
'rules/lists/ossec.block'
2018/09/12 06:52:44 ossec-testrule: INFO: Started (pid: 70988).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '2018-09-03 WARN test 2018-09-03 ERROR test text'
hostname: 'ix'
program_name: '(null)'
log: '2018-09-03 WARN test 2018-09-03 ERROR test text'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
This simple decoder gets you the info you were looking for:
<decoder name="test-WARN">
<prematch>WARN</prematch>
<regex>^\d\d\d\d-\d\d-\d\d WARN \S+ \d\d\d\d-\d\d-\d\d ERROR (\.+)$</regex>
<order>extra_data</order>
</decoder>
**Phase 1: Completed pre-decoding.
full event: '2018-09-03 WARN test 2018-09-03 ERROR test text'
hostname: 'ix'
program_name: '(null)'
log: '2018-09-03 WARN test 2018-09-03 ERROR test text'
**Phase 2: Completed decoding.
decoder: 'test-WARN'
extra_data: 'test text'
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
