Hi Everyone -
Does anyone have a custom decoder for Atlassian products or can point me in
the correct path to properly identify them?
Here is a sample of what I am dealing with:
Bamboo
019-05-23 12:56:11,870 WARN [scheduler_Worker-3] [RemoteAgentManagerImpl]
Remote agent 'WINDOWSBUILD.domain.local' was unresponsive and has gone
offline.
2019-05-23 12:56:11,870 INFO [scheduler_Worker-3] [AgentManagerImpl] No
deployments running on agent WINDOWSBUILD.domain.local
2019-05-23 12:56:11,871 INFO [scheduler_Worker-3] [AgentManagerImpl] No
builds running on agent WINDOWSBUILD.domain.local
2019-05-23 12:56:11,902 INFO
[AtlassianEvent::0-BAM::EVENTS:pool-3-thread-3] [ChainExecutionManagerImpl]
Plan C334-141: - feature-dual-club has finished
2019-05-23 12:56:11,812 WARN [scheduler_Worker-3] [RemoteAgentManagerImpl]
Remote agent 'build-dev1.domain.local' was unresponsive and has gone
offline.
Confluence
2019-05-23 12:56:08,254 INFO [buildTailMessageListenerConnector-124]
[FingerprintMatchingMessageListenerContainer] Successfully refreshed JMS
Connection
2019-05-23 12:56:11,812 WARN [scheduler_Worker-3] [RemoteAgentManagerImpl]
Detected that remote agent 'build1.domain.local' has been inactive since
Thu May 23 12:45:50 EDT 2019
2019-05-23 12:56:11,812 WARN [scheduler_Worker-3] [RemoteAgentManagerImpl]
Marking remote agent 'build1.domain.local' as unresponsive
2018-08-22 12:11:50,828 INFO [Caesium-1-1]
[directory.ldap.cache.AbstractCacheRefresher]
2018-08-22 12:39:03,722 INFO [http-nio-8443-exec-24]
[plugins.synchrony.service.SynchronyExternalChangesManager]
performExternalChange Started external change for ContentId{id=37322926}
2019-05-02 16:30:00,315 ERROR [NotificationSender:thread-2]
[plugin.notifications.dispatcher.NotificationErrorRegistryImpl] addError
Error sending notification to server '<Unknown>'(-1) for INDIVIDUAL task
(resent 0 times): Error sending to individual
'ff8080815bd4b40a015c7dcb00e80009' on server 'System Mail'
Sample decoder output:
2019/05/24 09:19:49 ossec-testrule: INFO: Reading local decoder file.
2019/05/24 09:19:49 ossec-testrule: INFO: Started (pid: 18995).
ossec-testrule: Type one log per line.
2019-05-23 12:56:11,812 WARN [scheduler_Worker-3] [RemoteAgentManagerImpl]
Remote agent 'chasebuild-dev1.archergroup.local' was unresponsive and has
gone offline.
**Phase 1: Completed pre-decoding.
full event: '2019-05-23 12:56:11,812 WARN [scheduler_Worker-3]
[RemoteAgentManagerImpl] Remote agent 'chasebuild-dev1.archergroup.local'
was unresponsive and has gone offline.'
hostname: '*WARN*'
program_name: '(null)'
log: '[scheduler_Worker-3] [RemoteAgentManagerImpl] Remote agent
'build-dev1.domain.local' was unresponsive and has gone offline.'
**Phase 2: Completed decoding.
No decoder matched.
The logs are interpreted as syslog and the status is being pulled into the
hostname and the only log data I can work with for Phase 2 is the *log:*
section
correct? So I'll never be able to get the status of the log?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/cf45595d-0e39-42c5-ba03-1664650d6a4b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
