On Mon, Jan 30, 2017 at 9:54 AM, Eli Tunkel <elitun...@gmail.com> wrote:
> Hi Guys
>
>
> I am looking to create a new custom ossec rult to capture specific phrase in
> a log.
> I have added the required directory to the ossec.conf <localfile>
> monitoring.
>
> LOG Sample:
>
> 2016-07-24 11:43:22,707 INFO [main-EventThread ]
> [.m.async.facade.Bootstrap] Became Leader!!! |TAGS|
> 2016-07-24 11:43:22,707 INFO [main-EventThread ]
> [.m.async.facade.Bootstrap] ############################## Leader election:
> Server is leader and starting ############################## |TAGS|
>
> Looking to find
>
>
> Leader election: Server is leader and starting
>
I'm assuming you haven't tried, so here's a basic run down.
Start with ossec-logtest:
# echo '2016-07-24 11:43:22,707 INFO [main-EventThread ]
[.m.async.facade.Bootstrap] ############################## Leader
election: Server is leader and starting ##############################
|TAGS|' | /var/ossec/bin/ossec-logtest
**Phase 1: Completed pre-decoding.
full event: '2016-07-24 11:43:22,707 INFO [main-EventThread ]
[.m.async.facade.Bootstrap] ############################## Leader
election: Server is leader and starting ##############################
|TAGS|'
hostname: 'INFO'
program_name: '(null)'
log: ' [main-EventThread ] [.m.async.facade.Bootstrap]
############################## Leader election: Server is leader and
starting ############################## |TAGS|'
**Phase 2: Completed decoding.
No decoder matched.
The "log" field is what we'll be working with mostly. So let's add a
basic rule to local_rules.xml:
<rule id="400001" level="1">
<match>m.async.facade.Bootstrap</match>
<description>Stuff</description>
</rule>
Re-run logtest:
**Phase 1: Completed pre-decoding.
full event: '2016-07-24 11:43:22,707 INFO [main-EventThread ]
[.m.async.facade.Bootstrap] ############################## Leader
election: Server is leader and starting ##############################
|TAGS|'
hostname: 'INFO'
program_name: '(null)'
log: ' [main-EventThread ] [.m.async.facade.Bootstrap]
############################## Leader election: Server is leader and
starting ############################## |TAGS|'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '400001'
Level: '1'
Description: 'Stuff'
**Alert to be generated.
As we can see our new rule is matched. So let's look at more specific
details to get exactly what you want:
<rule id="400002" level="1">
<if_sid>400001</if_sid>
<match>Leader election: Server is leader and starting</match>
<description>Leader election.</description>
</rule>
More logtest:
**Phase 1: Completed pre-decoding.
full event: '2016-07-24 11:43:22,707 INFO [main-EventThread ]
[.m.async.facade.Bootstrap] ############################## Leader
election: Server is leader and starting ##############################
|TAGS|'
hostname: 'INFO'
program_name: '(null)'
log: ' [main-EventThread ] [.m.async.facade.Bootstrap]
############################## Leader election: Server is leader and
starting ############################## |TAGS|'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '400002'
Level: '1'
Description: 'Leader election.'
**Alert to be generated.
Final rules:
<rule id="400001" level="0"> <!-- Probably doesn't need to be 1 -->
<match>m.async.facade.Bootstrap</match>
<description>m.async.facade.Bootstrap group</description> <!--
more descriptive description -->
</rule>
<rule id="400002" level="1"> <!-- adjust level to fit your concerns -->
<if_sid>400001</if_sid>
<match>Leader election: Server is leader and starting</match>
<description>Leader election.</description>
</rule>
Add those and restart the ossec processes on the master.
> Thanks ahead!!
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
