Hi Akash,
the OSSEC engine has 3 phases: pre-decoding, decoding, rule matching.
The pre-decoding is done automatically by OSSEC (at c level):
**Phase 1: Completed pre-decoding.
full event: 'myapplication: This is a test'
hostname: 'ip-10-0-0-10'
*program_name**: '(null)'*
log: 'myapplication: This is a test'
You have to create your decoders based on the information extracted on the
phase 1:
- If pre-decoding extracts *program_name*, use *program_name *in your
parent decoder.
- Otherwise, use *prematch*
So, you must to use *prematch*, because your *program_name *is null.
<decoder name="test">
<prematch>myapplication: </prematch>
</decoder>
<decoder name="test-fields">
<parent>test</parent>
<prematch offset="after_parent">this</prematch>
<regex offset="after_parent">(\S+)</regex>
<order>extra_data</order>
</decoder>
myapplication: This is a test
**Phase 1: Completed pre-decoding.
full event: 'myapplication: This is a test'
hostname: 'ip-10-0-0-10'
program_name: '(null)'
log: 'myapplication: This is a test'
**Phase 2: Completed decoding.
decoder: 'test'
extra_data: 'This'
I hope it helps.
Regards.
On Sunday, June 11, 2017 at 2:16:58 AM UTC+2, dan (ddpbsd) wrote:
>
> On Fri, Jun 9, 2017 at 11:21 AM, Akash Munjal <akashmu...@gmail.com
> <javascript:>> wrote:
> >
> > Hi,
> >
> > I create custom decoder, /var/ossec/etc/local_decoder.xml as:
> >
> > <decoder name="myapplication">
> > <program_name>myapplication</program_name>
> > <prematch>^myapplication: </prematch>
> > </decoder>
> >
> >
> > Entry of decoder in manager ossec.conf file as:
> >
> > <rules>
> > <include>local_rules.xml</include>
> > <decoder>etc/decoder.xml</decoder>
> > <decoder>etc/local_decoder.xml</decoder>
> > <decoder_dir>rules/plugins</decoder_dir>
> > </rules>
> >
> >
> > when i run logtest command it show this:
> >
> >
> >
> > /var/ossec/bin/ossec-logtest
> > 2017/06/09 20:08:54 ossec-testrule: INFO: Reading decoder file
> > etc/decoder.xml.
> > 2017/06/09 20:08:54 ossec-testrule: INFO: Reading decoder file
> > etc/local_decoder.xml.
> > 2017/06/09 20:08:54 ossec-testrule: INFO: Started (pid: 21573).
> > ossec-testrule: Type one log per line.
> >
> > myapplication: This is a test
> >
> >
> > **Phase 1: Completed pre-decoding.
> > full event: 'myapplication: This is a test'
> > hostname: 'ip-x.x.x.x'
> > program_name: '(null)'
>
> In your decoder you had program_name equal to myapplication. This is
> not how the event was decoded.
>
> > log: 'myapplication: This is a test'
> >
> > **Phase 2: Completed decoding.
> > No decoder matched.
> >
> > #### I follow this link as below:
> >
> >
> https://www.alienvault.com/documentation/usm-appliance/ids-configuration/process-reading-log-file-with-hids-agent-windows.htm
>
> >
> >
> > Anyone can help me out in this.
> >
> > Thanks.......
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to ossec-list+...@googlegroups.com <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
