I should mention this is OSSEC 2.7
On Tuesday, November 20, 2012 4:35:31 PM UTC-6, Scott wrote: > > Hi everyone, > > Sorry to be on the list so much, but I've hit another block in my > understanding of ossec. > > What am I doing wrong here? The decoder seems to work, but the rule does > not match! > > etc/local_decoder.xml: > <decoder name="zabbix"> > <prematch>^Zabbix Server[\d+]: </prematch> > </decoder> > > <decoder name="zabbix-check-failed"> > <parent>zabbix</parent> > <regex offset="after_parent">Sending list of active checks to [(\S+)] > (failed): host [(\S+)] not found</regex> > <order>dstip,status,extra_data</order> > </decoder> > > rules/local_rules.xml: > <group name="zabbix"> > <rule id="100100" level="2"> > <decoded_as>zabbix</decoded_as> <!-- tried also with this commented > out --> > <description>Zabbix server messages</description> > </rule> > </group> > (I've also tried with "zabbix-check-failed" in local_rules.xml) > > Running logtest: > > $ echo 'Nov 20 21:05:33 abc Zabbix Server[1696]: Sending list of active > checks to [1.2.3.4] failed: host [abc.example.com] not found' | > bin/ossec-logtest > 2012/11/20 22:26:39 ossec-testrule: INFO: Reading local decoder file. > 2012/11/20 22:26:39 ossec-testrule: INFO: Started (pid: 10478). > ossec-testrule: Type one log per line. > > > > **Phase 1: Completed pre-decoding. > full event: 'Nov 20 21:05:33 abc Zabbix Server[1696]: Sending list > of active checks to [1.2.3.4] failed: host [abc.example.com] not found' > hostname: 'abc' > program_name: '(null)' > log: 'Zabbix Server[1696]: Sending list of active checks to > [1.2.3.4] failed: host [abc.example.com] not found' > > **Phase 2: Completed decoding. > decoder: 'zabbix' > dstip: '1.2.3.4' > status: 'failed' > extra_data: 'abc.example.com' > > **Phase 3: Completed filtering (rules). > Rule id: '1002' > Level: '2' > Description: 'Unknown problem somewhere in the system.' > **Alert to be generated. > >
