Does 100501 fire? It may be a "frequency" issue, take a look at the following thread, it may be useful: http://marc.info/?l=ossec-list&m=129736702512080&w=2
On Thu, May 26, 2011 at 4:28 PM, Denis Gasparin <denis.gaspa...@edistar.com> wrote: > > Hi to all. > > We have a postgresql installation that writes two lines for every query > error. For example after executing the query "select * from > unexistant_table", the postgresql log file has the following two lines: > > May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-17] > user@ossec([local]) SELECT ERROR: relation "unexistant_table" does not > exist > May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-18] > user@ossec([local]) SELECT STATEMENT: select * from unexistant_table; > > We need to send an alert for every query error with attached the relative > "STATEMENT". > > Because our postgres log format is different from that bundled with ossec, > we wrote our decoder and our rules. > > The decoder (edistar_pgsql) works fine. The rules works ok for single > events. > For sending the previous two lines within the same alert we created a > composite rule with a very restricted timeframe, so the two events will be > grouped together. He are the relevant rules written so far: > > <group name="edistar_pgsql,"> > <rule id="100500" level="0"> > <decoded_as>edistar_postgresql</decoded_as> > <description>Edistar PostgreSQL messages grouped.</description> > </rule> > > <rule id="100501" level="4"> > <if_sid>100500</if_sid> > <status>ERROR|STATEMENT</status> > <description>PostgreSQL error message and relative > statement.</description> > <group>pgsql_query_failures,</group> > </rule> > > <rule id="100502" level="8" frequency="2" timeframe="1" ignore="0"> > <if_matched_group>pgsql_query_failures</if_matched_group> > <description>PostgreSQL error message. Query attached.</description> > </rule > </group> > > The composite rule does not work as expected. In order to trigger it, two > query error must be generated in the timeframe, so the log would be: > May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-17] > user@ossec([local]) SELECT ERROR: relation "unexistant_table" does not > exist > May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-18] > user@ossec([local]) SELECT STATEMENT: select * from unexistant_table; > May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-17] > user@ossec([local]) SELECT ERROR: relation "unexistant_table" does not > exist > May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-18] > user@ossec([local]) SELECT STATEMENT: select * from unexistant_table; > > In this case OSSEC would generate an alert with only two lines (the second > and the third). > > Can you help me? Is there another way to get the correct result? > > Thank you in advance for your help, > Denis > Inviato da iPad
