Just guessing here, but the issue could be the use of spaces v/s tabs. Which decoders are being used for mailbox.log and audit.log?
I faced a similar issue when I copied and pasted a log into a test file (the tabs got copied over). However when I ran a script to insert the logs into a log file, the shell script implicitly replaced the tabs with spaces, and the event did not generate an alert. HTH. On Thu, Jul 7, 2011 at 3:52 PM, blacklight <vphu...@yahoo.com> wrote: > Hello Folks, > > I am at wits' end with an issue: I have written up an OSSEC rule that > detects whether a Zimbra mail server is acting up. > > There is no issue with the syntax of the rule: it passes the ossec- > logtest with flying colors. The rule works 100% when I deliberately > insert for testing purposes into /opt/zimbra/log/audit.log the log > entry that the rule is designed to detect: the rule immediately shows > up in the OSSEC GUI as: > > > 2011 Jul 07 13:06:06 Rule Id: 100111 level: 7 > Location: (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/zimbra/log/ > audit.log > Zimbra startup detected > 2011-07-07 13:06:38,180 INFO [main] [] misc - version=7.1.1_GA_3213 > release=20110624102500 builddate=20110624-1027 buildhost=zre- > rhel4.eng.vmware.com <-- test by V. > > > For reference, the dummy log entry is > > > 2011-07-07 13:06:38,180 INFO [main] [] misc - version=7.1.1_GA_3213 > release=20110624102500 builddate=20110624-1027 buildhost=zre- > rhel4.eng.vmware.com <-- test by V. > > and is stored in a file v.4.txt > > > It is inserted into /opt/zimbra/log/audit.log by running the command > > cat /tmp/v.4.txt >> /opt/zimbra/log/audit.log > > > My problem is that when I insert the same log entry (after adjusting > the time) into /opt/zimbra/log/mailbox.log, the OSSEC GUI does not > show the entry at all. > > (1) I checked in /var/ossec/logs/ossec.log that OSSEC on the mail > server is actually writing to /opt/zimbra/log/mailbox.log: > > 2011/04/14 21:56:36 ossec-logcollector(1950): INFO: Analyzing file: '/ > opt/zimbra/log/mailbox.log'. > 2011/06/25 08:17:18 ossec-logcollector(1950): INFO: Analyzing file: '/ > opt/zimbra/log/mailbox.log'. > > Lest you think that OSSEC somehow stopped reading mailbox.log, I > checked that OSSEC is currently reading /opt/zimbra/log/audit.log: > > 2011/04/14 21:56:36 ossec-logcollector(1950): INFO: Analyzing file: '/ > opt/zimbra /log/audit.log'. > 2011/06/25 08:17:18 ossec-logcollector(1950): INFO: Analyzing file: '/ > opt/zimbra /log/audit.log'. > > Note that the date and times for mailbox.log and audit.log. > > > (2) I checked the file permissions for audit.log and mailbox.log - > they match: > > [root@mailserver log]# ls -l mailbox.log audit.log > -rw-r----- 1 zimbra zimbra 2586778 Jul 7 15:35 audit.log > -rw-r----- 1 zimbra zimbra 94811342 Jul 7 15:35 mailbox.log > > > > Let's summarize: the logs files have identical permissions, the OSSEC > agent on the mail server reports that is reading both /opt/zimbra/log/ > audit.log and /opt/zimbra/log/mailbox.log> Yet, the OSSEC GUI shows > the rule being triggered when the dummy log entry is inserted in > audit.log but not triggered when the same rule is inserted in > mailbox.log. I am losing my mental grip: what's going on? > > For reference, > > decoder > > <decoder name="log4j"> > <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d\d\d </prematch> > </decoder> > > > Rule:: > > <decoded_as>log4j</decoded_as> > <description>Log4J Container</description> > </rule> > > <rule id="100102" level="0"> > <if_sid>100101</if_sid> > <regex>ERROR|FATAL|INFO|WARN \S+ [\S+] \S+ - </regex> > <description>filter out the message categories</description> > </rule> > > <rule id="100111" level="7"> > <if_sid>100102</if_sid> > <regex>buildhost=</regex> > <description>Zimbra startup detected</description> > </rule> > > > Again, I am at my wits' ends: this is a situation where it should > work, must work and yet doesn't work. Do you have any ideas for > diagnostics, further investigation or resolution? > > Thanks, > > Vietnhi Phuvan > > > >