I'm having a problem with my custom decoder. I have defined only 2 decoders under 1 parent. However, only the first decoder works. If I switch the order of the decoders, the decoder that didn't work before now works. Any help?
Thanks. Basic info. (the server that OSSEC runs on is not connected to the internet so I can't do a simple cut and paste) Running OSSEC 2.7 on RH5.3 Monitoring a Custom Java application audit log. Audit format and examples (log entry is all on one line, I just formatted it for readability here) INFO 2014/03/15 08:16:05.088 GMT <http-bio-8443-exec-2> ism.acc.ozone.common.utils.ProfileUtils::getSecurityProfile <securityAudit> <SecurityAuditId>USER_LOGON</SecurityAuditId> <Timestamp>2014/03/15 08:16:05.088 UTC</Timestamp> <DisplayName>USER_LOGON</DisplayName> <UserId>cbrown</UserId> <SystemId>tstwa1 192.45.205.167</SystemId> <ProcessId>12345</ProcessId> <ResourcesParameters></ResourcesParameters> <Status>SUCCESS</Status> <Criticality>LOW</Criticality> <Comments>(varies)</Comments> </securityAudit> INFO 2014/03/15 09:16:05.088 GMT <Timer-1> ism.acc.ozone.action.reports.UserAccessListener::auditLogout <securityAudit> <SecurityAuditId>USER_LOGOUT</SecurityAuditId> <Timestamp>2014/03/15 09:16:05.088 UTC</Timestamp> <DisplayName>USER_LOGOUT</DisplayName> <UserId>cbrown</UserId> <SystemId>tstwa1 192.45.205.167</SystemId> <ProcessId>12345</ProcessId> <ResourcesParameters></ResourcesParameters> <Status>SUCCESS</Status> <Criticality>LOW</Criticality> <Comments>(varies)</Comments> </securityAudit> local_decoder.xml <decoder name="ISM"> <prematch>^INFO \s+\d+/\d\d/\d\d\s+\d\d:\d\d:\d\d.\d\d\d\sGMT</prematch> <decoder name="ism_logon"> <parent>ISM</parent> <regex offset="after_parent">(USER_LOGON)\.+UserId\p(\w+)\p\.+SystemId\p(\S+)\s(\d+.\d+.\d+.\d)\p</regex> <regex>\.+Status\p(\S+)\p\.+Criticality\p(\w+)\p\.+mments\p(Issuer DN: C=\w\w.O=\w+,OU=\w+,CN=\w+\s\w+\s\S+)\p</regex> <order>action, user, srcuser, srcip, status, extra_data, extra_data</order> </decoder> <decoder name="ism_logout"> <parent>ISM</parent> <regex offset="after_parent">(USER_LOGOUT)</regex> <order>action</order> </decoder> Test1a echo "INFO above blah, blah USER_LOGON ... </securityAudit>" | ./ossec-logtest -v 2>&1 Result **Phase 1: Completed pre-decoding. full event:'INFO above blah, blah USER_LOGON ... </securityAudit>' hostname: 'tstdl2' (OSSEC server host) program_name: '(null)' log: 'INFO above blah, blah again </securityAudit>' **Phase 2: Completed decoding. decoder: 'ISM' action: 'USER_LOGON' dstuser: 'cbrown' srcuser: 'tstwa1' srcip: '192.45.205.167' status: 'SUCCESS' extra_data: 'LOW' extra_data: '(stuff in Comments field)' **Rule debugging: ...... Test1b echo "INFO above blah, blah USER_LOGOUT ... </securityAudit>" | ./ossec-logtest -v 2>&1 Result **Phase 1: Completed pre-decoding. full event:'INFO above blah, blah USER_LOGOUT ... </securityAudit>' hostname: 'tstdl2' (OSSEC server host where ossec-logtest running) program_name: '(null)' log: 'INFO above blah, blah again </securityAudit>' **Phase 2: Completed decoding. decoder: 'ISM' **Rule debugging: ...... Test2a (swap the positions of the 2 decoder definitions, now LOGOUT comes first) echo "INFO above blah, blah USER_LOGON ... </securityAudit>" | ./ossec-logtest -v 2>&1 Result **Phase 1: Completed pre-decoding. full event:'INFO above blah, blah USER_LOGON ... </securityAudit>' hostname: 'tstdl2' (OSSEC server host) program_name: '(null)' log: 'INFO above blah, blah again </securityAudit>' **Phase 2: Completed decoding. decoder: 'ISM' **Rule debugging: ...... Test2b echo "INFO above blah, blah USER_LOGOUT ... </securityAudit>" | ./ossec-logtest -v 2>&1 Result **Phase 1: Completed pre-decoding. full event:'INFO above blah, blah USER_LOGOUT ... </securityAudit>' hostname: 'tstdl2' (OSSEC server host where ossec-logtest running) program_name: '(null)' log: 'INFO above blah, blah again </securityAudit>' **Phase 2: Completed decoding. decoder: 'ISM' action: 'USER_LOGOUT' **Rule debugging: ...... -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
