Hi, I made an upgrade from 2.8.3 to 2.9.4, for handling exim logs/rules. But this decoder or rules doesn't seems to be tested. Here is a debug session : > > # bin/ossec-logtest -v > 2018/06/25 11:32:41 ossec-testrule: INFO: Reading decoder file > etc/decoder.xml. > 2018/06/25 11:32:41 ossec-testrule: INFO: Started (pid: 15189). > ossec-testrule: Type one log per line. > > 2017-01-23 03:44:14 dovecot_login authenticator failed for (hydra) > [10.101.1.18]:35686: 535 Incorrect authentication data (set_id=user) > > **Phase 1: Completed pre-decoding. > full event: '2017-01-23 03:44:14 dovecot_login authenticator failed > for (hydra) [10.101.1.18]:35686: 535 Incorrect authentication data > (set_id=user)' > hostname: 'logcollector' > program_name: '(null)' > log: '2017-01-23 03:44:14 dovecot_login authenticator failed for > (hydra) [10.101.1.18]:35686: 535 Incorrect authentication data > (set_id=user)' > > **Phase 2: Completed decoding. > decoder: 'windows-date-format' > srcip: '10.101.1.18' > dstuser: 'user' > > **Rule debugging: > Trying rule: 1 - Generic template for all syslog rules. > *Rule 1 matched. > *Trying child rules. > Trying rule: 5500 - Grouping of the pam_unix rules. > Trying rule: 5556 - unix_chkpwd grouping. > Trying rule: 5700 - SSHD messages grouped. > Trying rule: 5757 - Bad DNS mapping. > Trying rule: 5600 - Grouping for the telnetd rules > Trying rule: 2100 - NFS rules grouped. > Trying rule: 2507 - OpenLDAP group. > Trying rule: 2550 - rshd messages grouped. > Trying rule: 2701 - Ignoring procmail messages. > Trying rule: 2800 - Pre-match rule for smartd. > Trying rule: 5100 - Pre-match rule for kernel messages > Trying rule: 5200 - Ignoring hpiod for producing useless logs. > Trying rule: 2830 - Crontab rule group. > Trying rule: 5300 - Initial grouping for su messages. > Trying rule: 5905 - useradd failed. > Trying rule: 5400 - Initial group for sudo messages > Trying rule: 9100 - PPTPD messages grouped > Trying rule: 9200 - Squid syslog messages grouped > Trying rule: 2900 - Dpkg (Debian Package) log. > *Rule 2900 matched. > *Trying child rules. > Trying rule: 2902 - New dpkg (Debian Package) installed. > Trying rule: 2903 - Dpkg (Debian Package) removed. > Trying rule: 2901 - New dpkg (Debian Package) requested to install. > > **Phase 3: Completed filtering (rules). > Rule id: '2900' > Level: '0' > Description: 'Dpkg (Debian Package) log.' >
as you can see, the exim rules are never tested... The line is the one given as example in exim_rule.xml. The etc/decoder.xml contains exim decoders, and it is loaded, like exim_rules.xml > 2018/06/25 11:32:30 ossec-testrule: INFO: Reading decoder file > etc/decoder.xml. > 2018/06/25 11:32:31 ossec-testrule: INFO: Started (pid: 15125). > 2018/06/25 11:32:31 ossec-execd: INFO: Started (pid: 15148). > 2018/06/25 11:32:31 ossec-analysisd: INFO: Reading decoder file > etc/decoder.xml. > ... > 2018/06/25 11:32:31 ossec-analysisd: INFO: Reading rules file: > 'exim_rules.xml' > ... > > How can I solve this ? Thanks Frank -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.