[ossec-list] exim decoder/rules not fired

Mon, 25 Jun 2018 03:02:17 -0700 

Hi,
I made an upgrade from 2.8.3 to 2.9.4, for handling exim logs/rules. But
this decoder or rules doesn't seems to be tested. Here is a debug session :
>
> # bin/ossec-logtest -v
> 2018/06/25 11:32:41 ossec-testrule: INFO: Reading decoder file
> etc/decoder.xml.
> 2018/06/25 11:32:41 ossec-testrule: INFO: Started (pid: 15189).
> ossec-testrule: Type one log per line.
>
> 2017-01-23 03:44:14 dovecot_login authenticator failed for (hydra)
> [10.101.1.18]:35686: 535 Incorrect authentication data (set_id=user)
>
> **Phase 1: Completed pre-decoding.
>        full event: '2017-01-23 03:44:14 dovecot_login authenticator failed
> for (hydra) [10.101.1.18]:35686: 535 Incorrect authentication data
> (set_id=user)'
>        hostname: 'logcollector'
>        program_name: '(null)'
>        log: '2017-01-23 03:44:14 dovecot_login authenticator failed for
> (hydra) [10.101.1.18]:35686: 535 Incorrect authentication data
> (set_id=user)'
>
> **Phase 2: Completed decoding.
>        decoder: 'windows-date-format'
>        srcip: '10.101.1.18'
>        dstuser: 'user'
>
> **Rule debugging:
>     Trying rule: 1 - Generic template for all syslog rules.
>        *Rule 1 matched.
>        *Trying child rules.
>     Trying rule: 5500 - Grouping of the pam_unix rules.
>     Trying rule: 5556 - unix_chkpwd grouping.
>     Trying rule: 5700 - SSHD messages grouped.
>     Trying rule: 5757 - Bad DNS mapping.
>     Trying rule: 5600 - Grouping for the telnetd rules
>     Trying rule: 2100 - NFS rules grouped.
>     Trying rule: 2507 - OpenLDAP group.
>     Trying rule: 2550 - rshd messages grouped.
>     Trying rule: 2701 - Ignoring procmail messages.
>     Trying rule: 2800 - Pre-match rule for smartd.
>     Trying rule: 5100 - Pre-match rule for kernel messages
>     Trying rule: 5200 - Ignoring hpiod for producing useless logs.
>     Trying rule: 2830 - Crontab rule group.
>     Trying rule: 5300 - Initial grouping for su messages.
>     Trying rule: 5905 - useradd failed.
>     Trying rule: 5400 - Initial group for sudo messages
>     Trying rule: 9100 - PPTPD messages grouped
>     Trying rule: 9200 - Squid syslog messages grouped
>     Trying rule: 2900 - Dpkg (Debian Package) log.
>        *Rule 2900 matched.
>        *Trying child rules.
>     Trying rule: 2902 - New dpkg (Debian Package) installed.
>     Trying rule: 2903 - Dpkg (Debian Package) removed.
>     Trying rule: 2901 - New dpkg (Debian Package) requested to install.
>
> **Phase 3: Completed filtering (rules).
>        Rule id: '2900'
>        Level: '0'
>        Description: 'Dpkg (Debian Package) log.'
>

as you can see, the exim rules are never tested... The line is the one
given as example in exim_rule.xml.

The etc/decoder.xml contains exim decoders, and it is loaded, like
exim_rules.xml

> 2018/06/25 11:32:30 ossec-testrule: INFO: Reading decoder file
> etc/decoder.xml.
> 2018/06/25 11:32:31 ossec-testrule: INFO: Started (pid: 15125).
> 2018/06/25 11:32:31 ossec-execd: INFO: Started (pid: 15148).
> 2018/06/25 11:32:31 ossec-analysisd: INFO: Reading decoder file
> etc/decoder.xml.
> ...
> 2018/06/25 11:32:31 ossec-analysisd: INFO: Reading rules file:
> 'exim_rules.xml'
> ...
>
> How can I solve this ?

Thanks
Frank

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to