On Mon, Jan 30, 2017 at 9:54 AM, Eli Tunkel <elitun...@gmail.com> wrote: > Hi Guys > > > I am looking to create a new custom ossec rult to capture specific phrase in > a log. > I have added the required directory to the ossec.conf <localfile> > monitoring. > > LOG Sample: > > 2016-07-24 11:43:22,707 INFO [main-EventThread ] > [.m.async.facade.Bootstrap] Became Leader!!! |TAGS| > 2016-07-24 11:43:22,707 INFO [main-EventThread ] > [.m.async.facade.Bootstrap] ############################## Leader election: > Server is leader and starting ############################## |TAGS| > > Looking to find > > > Leader election: Server is leader and starting >
I'm assuming you haven't tried, so here's a basic run down. Start with ossec-logtest: # echo '2016-07-24 11:43:22,707 INFO [main-EventThread ] [.m.async.facade.Bootstrap] ############################## Leader election: Server is leader and starting ############################## |TAGS|' | /var/ossec/bin/ossec-logtest **Phase 1: Completed pre-decoding. full event: '2016-07-24 11:43:22,707 INFO [main-EventThread ] [.m.async.facade.Bootstrap] ############################## Leader election: Server is leader and starting ############################## |TAGS|' hostname: 'INFO' program_name: '(null)' log: ' [main-EventThread ] [.m.async.facade.Bootstrap] ############################## Leader election: Server is leader and starting ############################## |TAGS|' **Phase 2: Completed decoding. No decoder matched. The "log" field is what we'll be working with mostly. So let's add a basic rule to local_rules.xml: <rule id="400001" level="1"> <match>m.async.facade.Bootstrap</match> <description>Stuff</description> </rule> Re-run logtest: **Phase 1: Completed pre-decoding. full event: '2016-07-24 11:43:22,707 INFO [main-EventThread ] [.m.async.facade.Bootstrap] ############################## Leader election: Server is leader and starting ############################## |TAGS|' hostname: 'INFO' program_name: '(null)' log: ' [main-EventThread ] [.m.async.facade.Bootstrap] ############################## Leader election: Server is leader and starting ############################## |TAGS|' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '400001' Level: '1' Description: 'Stuff' **Alert to be generated. As we can see our new rule is matched. So let's look at more specific details to get exactly what you want: <rule id="400002" level="1"> <if_sid>400001</if_sid> <match>Leader election: Server is leader and starting</match> <description>Leader election.</description> </rule> More logtest: **Phase 1: Completed pre-decoding. full event: '2016-07-24 11:43:22,707 INFO [main-EventThread ] [.m.async.facade.Bootstrap] ############################## Leader election: Server is leader and starting ############################## |TAGS|' hostname: 'INFO' program_name: '(null)' log: ' [main-EventThread ] [.m.async.facade.Bootstrap] ############################## Leader election: Server is leader and starting ############################## |TAGS|' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '400002' Level: '1' Description: 'Leader election.' **Alert to be generated. Final rules: <rule id="400001" level="0"> <!-- Probably doesn't need to be 1 --> <match>m.async.facade.Bootstrap</match> <description>m.async.facade.Bootstrap group</description> <!-- more descriptive description --> </rule> <rule id="400002" level="1"> <!-- adjust level to fit your concerns --> <if_sid>400001</if_sid> <match>Leader election: Server is leader and starting</match> <description>Leader election.</description> </rule> Add those and restart the ossec processes on the master. > Thanks ahead!! > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.