Here is what I have created so far log test works waiting for real world (
i have a disk on Buffalo NAS that is dying ).
Thought it may help others. Put I will post real world results.
*Decoders:*
<decoder name="nas-101-broken">
<program_name>errormon</program_name>
<prematch>^Error situation detected! </prematch>
<regex>\w+ \d+ \d+:\d+\d+:\d+ \w+ \w+ \d+\p\p \w+ \w+ \w+\p (\w+) \w+
\w+ \w+ \w+</regex>
<order>status</order>
</decoder>
<decoder name="nas-101-sector">
<parent>iptables</parent>
<use_own_name>true</use_own_name>
<prematch>^cmd=</prematch>
<regex>^cmd=\S+\s(\S+)\s\w+\s\d+\s(\d)</regex>
<order>extra_data,status</order>
</decoder>
*Rules:*
<group name="NAS Disk Error">
<rule id="810001" level="10">
<hostname>TS5400R33A</hostname>
<decoded_as>nas-101-sector</decoded_as>
<description>Buffalo NAS - Bad Sector Count!</description>
</rule>
<rule id="810002" level="16">
<if_matched_sid>810001</if_matched_sid>
<description>Buffalo NAS - Repeated Bad Sector Count!</description>
</rule>
</group>
<group name="NAS Disk Broken">
<rule id="810003" level="10">
<hostname>TS5400R33A</hostname>
<decoded_as>nas-101-broken</decoded_as>
<description>Buffalo NAS - Disk Failure!</description>
</rule>
<rule id="810004" level="16">
<if_matched_sid>810003</if_matched_sid>
<description>Buffalo NAS - Repeated Disk Failure!</description>
</rule>
</group>
Logtest Out:
Jun 21 03:27:36 TS5400R33A errormon[2761]: Error situation detected! HD4
Broken E30Replace the DISK
**Phase 1: Completed pre-decoding.
full event: 'Jun 21 03:27:36 TS5400R33A errormon[2761]: Error
situation detected! HD4 Broken E30Replace the DISK'
hostname: 'TS5400R33A'
program_name: 'errormon'
log: 'Error situation detected! HD4 Broken E30Replace the DISK'
**Phase 2: Completed decoding.
decoder: 'nas-101-broken'
**Phase 3: Completed filtering (rules).
Rule id: '810004'
Level: '16'
Description: 'Buffalo NAS - Repeated Disk Failure!'
**Alert to be generated.
Jun 13 09:40:56 TS5400R33A kernelmon: cmd=ioerr sdc READ 33661712 1
**Phase 1: Completed pre-decoding.
full event: 'Jun 13 09:40:56 TS5400R33A kernelmon: cmd=ioerr sdc
READ 33661712 1'
hostname: 'TS5400R33A'
program_name: 'kernelmon'
log: 'cmd=ioerr sdc READ 33661712 1'
**Phase 2: Completed decoding.
decoder: 'iptables'
extra_data: 'sdc'
status: '1'
**Phase 3: Completed filtering (rules).
Rule id: '810002'
Level: '16'
Description: 'Buffalo NAS - Repeated Bad Sector Count!'
**Alert to be generated.
On Wednesday, April 25, 2018 at 11:34:07 AM UTC-5, Jacob Mcgrath wrote:
>
> This is the log sent to ossec:
>
> Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr sdc READ 50030496 1
>
> If I run threw logtest i get iptables as the final decoder:
>
> **Phase 1: Completed pre-decoding.
> full event: 'Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr sdc
> READ 50030496 1'
> hostname: 'TS5400R33A'
> program_name: 'kernelmon'
> log: 'cmd=ioerr sdc READ 50030496 1'
>
> **Phase 2: Completed decoding.
> decoder: 'iptables'
>
>
> I tried to make other custom decoders using iptables as the parent and or
> totally new decoders for this log but it always decodes the same.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
