[ossec-list] about ossec rules Regular Expression Syntax
hi,all I got a question,that is about about ossec rules Regular Expression Syntax . we konw,when i want match the number,i can use \d or \d+ but now,if i has string like this failed=0==failed=(\d+) i want exclude 0, i use failed=([1-9]+),can not match it.. how can i do? thanksBest Regards -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] 回复: about ossec rules Regular Expression Syntax
and what means is extra_data in rules? support it Regular Expression Syntax ? now my rules is group name=local,rsyslog, rule id=1050001 level=7 decoded_asrsyslog-pstats/decoded_as regex^\S+\s+\d+:\s+\S+\s+failed=(\d+)/regex extra_data^[1-9]+/extra_data descriptionRsyslog Failed/description /rule /group look like can not work? thanksBest Regards 发件人: root 发送时间: 2013-02-28 15:33 收件人: ossec-list 主题: about ossec rules Regular Expression Syntax hi,all I got a question,that is about about ossec rules Regular Expression Syntax . we konw,when i want match the number,i can use \d or \d+ but now,if i has string like this failed=0==failed=(\d+) i want exclude 0, i use failed=([1-9]+),can not match it.. how can i do? thanksBest Regards -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] about ossec rules Regular Expression Syntax
hi about this problem,look this my decoder is decoder name=rsyslog-pstats program_name^rsyslogd-pstats/program_name /decoder my testrule is group name=local,rsyslog, rule id=1050001 level=7 decoded_asrsyslog-pstats/decoded_as regex^\S+\s+\d+:\s+\S+\s+failed=(\d+)/regex extra_data0/extra_data descriptionRsyslog Failed/description /rule /group log test [root@localhost bin]# ./ossec-logtest 2013/02/28 17:15:30 ossec-testrule: INFO: Reading local decoder file. 2013/02/28 17:15:30 ossec-testrule: INFO: Started (pid: 12165). ossec-testrule: Type one log per line. 2013-02-27T19:06:08.807156+08:00 localhost rsyslogd-pstats: action 7: processed=0 failed=0 **Phase 1: Completed pre-decoding. full event: '2013-02-27T19:06:08.807156+08:00 localhost rsyslogd-pstats: action 7: processed=0 failed=0' hostname: 'localhost' program_name: 'rsyslogd-pstats' log: 'action 7: processed=0 failed=0' **Phase 2: Completed decoding. decoder: 'rsyslog-pstats' **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '2' Description: 'Unknown problem somewhere in the system.' so,i think the rules has wrong,but i don't konw,what wrong with rule? thanksBest Regards 发件人: root 发送时间: 2013-02-28 15:40 收件人: ossec-list 主题: 回复: about ossec rules Regular Expression Syntax and what means is extra_data in rules? support it Regular Expression Syntax ? now my rules is group name=local,rsyslog, rule id=1050001 level=7 decoded_asrsyslog-pstats/decoded_as regex^\S+\s+\d+:\s+\S+\s+failed=(\d+)/regex extra_data^[1-9]+/extra_data descriptionRsyslog Failed/description /rule /group look like can not work? thanksBest Regards 发件人: root 发送时间: 2013-02-28 15:33 收件人: ossec-list 主题: about ossec rules Regular Expression Syntax hi,all I got a question,that is about about ossec rules Regular Expression Syntax . we konw,when i want match the number,i can use \d or \d+ but now,if i has string like this failed=0==failed=(\d+) i want exclude 0, i use failed=([1-9]+),can not match it.. how can i do? thanksBest Regards -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] about ossec rules Regular Expression Syntax
On Feb 28, 2013 6:26 AM, root r...@cnmoker.org wrote: hi,all I got a question,that is about about ossec rules Regular Expression Syntax . we konw,when i want match the number,i can use \d or \d+ but now,if i has string like this failed=0==failed=(\d+) i want exclude 0, i use failed=([1-9]+),can not match it.. how can i do? You can't really. The best option I can think of is to create your rule matching any number, then creating a rule at level 0 for extra_data of 0. thanksBest Regards -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] 回复: about ossec rules Regular Expression Syntax
On Feb 28, 2013 6:26 AM, root r...@cnmoker.org wrote: and what means is extra_data in rules? support it Regular Expression Syntax ? now my rules is group name=local,rsyslog, rule id=1050001 level=7 decoded_asrsyslog-pstats/decoded_as regex^\S+\s+\d+:\s+\S+\s+failed=(\d+)/regex extra_data^[1-9]+/extra_data descriptionRsyslog Failed/description /rule /group look like can not work? The regular expression syntax supported by ossec is documented on the site. thanksBest Regards 发件人: root 发送时间: 2013-02-28 15:33 收件人: ossec-list 主题: about ossec rules Regular Expression Syntax hi,all I got a question,that is about about ossec rules Regular Expression Syntax . we konw,when i want match the number,i can use \d or \d+ but now,if i has string like this failed=0==failed=(\d+) i want exclude 0, i use failed=([1-9]+),can not match it.. how can i do? thanksBest Regards -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] about ossec rules Regular Expression Syntax
On Feb 28, 2013 6:26 AM, root r...@cnmoker.org wrote: hi about this problem,look this my decoder is decoder name=rsyslog-pstats program_name^rsyslogd-pstats/program_name /decoder You aren't decoding an extra_data entey here, so your rule will never match. The second example I wrote for you decoded this properly. my testrule is group name=local,rsyslog, rule id=1050001 level=7 decoded_asrsyslog-pstats/decoded_as regex^\S+\s+\d+:\s+\S+\s+failed=(\d+)/regex extra_data0/extra_data descriptionRsyslog Failed/description /rule /group log test [root@localhost bin]# ./ossec-logtest 2013/02/28 17:15:30 ossec-testrule: INFO: Reading local decoder file. 2013/02/28 17:15:30 ossec-testrule: INFO: Started (pid: 12165). ossec-testrule: Type one log per line. 2013-02-27T19:06:08.807156+08:00 localhost rsyslogd-pstats: action 7: processed=0 failed=0 **Phase 1: Completed pre-decoding. full event: '2013-02-27T19:06:08.807156+08:00 localhost rsyslogd-pstats: action 7: processed=0 failed=0' hostname: 'localhost' program_name: 'rsyslogd-pstats' log: 'action 7: processed=0 failed=0' **Phase 2: Completed decoding. decoder: 'rsyslog-pstats' **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '2' Description: 'Unknown problem somewhere in the system.' so,i think the rules has wrong,but i don't konw,what wrong with rule? thanksBest Regards 发件人: root 发送时间: 2013-02-28 15:40 收件人: ossec-list 主题: 回复: about ossec rules Regular Expression Syntax and what means is extra_data in rules? support it Regular Expression Syntax ? now my rules is group name=local,rsyslog, rule id=1050001 level=7 decoded_asrsyslog-pstats/decoded_as regex^\S+\s+\d+:\s+\S+\s+failed=(\d+)/regex extra_data^[1-9]+/extra_data descriptionRsyslog Failed/description /rule /group look like can not work? thanksBest Regards 发件人: root 发送时间: 2013-02-28 15:33 收件人: ossec-list 主题: about ossec rules Regular Expression Syntax hi,all I got a question,that is about about ossec rules Regular Expression Syntax . we konw,when i want match the number,i can use \d or \d+ but now,if i has string like this failed=0==failed=(\d+) i want exclude 0, i use failed=([1-9]+),can not match it.. how can i do? thanksBest Regards -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Maximum number of agents allowed:
2013/2/28 Alexander Hartner thahart...@gmail.com: Any option of achieving the same without a re-compile. Ideally we would like to use the binary distribution to be able to pull new versions via the rpm repository. Installing from source would require us to manage the version of OSSEC server manually. -- Well, currently number of agents is hardcoded into ossec sources. -- Eero -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] about ossec rules Regular Expression Syntax
so,thks i think that extra_data can match in rules after at regex :( thanksBest Regards 发件人: dan (ddp) 发送时间: 2013-02-28 19:32 收件人: ossec-list 主题: Re: [ossec-list] about ossec rules Regular Expression Syntax On Feb 28, 2013 6:26 AM, root r...@cnmoker.org wrote: hi about this problem,look this my decoder is decoder name=rsyslog-pstats program_name^rsyslogd-pstats/program_name /decoder You aren't decoding an extra_data entey here, so your rule will never match. The second example I wrote for you decoded this properly. my testrule is group name=local,rsyslog, rule id=1050001 level=7 decoded_asrsyslog-pstats/decoded_as regex^\S+\s+\d+:\s+\S+\s+failed=(\d+)/regex extra_data0/extra_data descriptionRsyslog Failed/description /rule /group log test [root@localhost bin]# ./ossec-logtest 2013/02/28 17:15:30 ossec-testrule: INFO: Reading local decoder file. 2013/02/28 17:15:30 ossec-testrule: INFO: Started (pid: 12165). ossec-testrule: Type one log per line. 2013-02-27T19:06:08.807156+08:00 localhost rsyslogd-pstats: action 7: processed=0 failed=0 **Phase 1: Completed pre-decoding. full event: '2013-02-27T19:06:08.807156+08:00 localhost rsyslogd-pstats: action 7: processed=0 failed=0' hostname: 'localhost' program_name: 'rsyslogd-pstats' log: 'action 7: processed=0 failed=0' **Phase 2: Completed decoding. decoder: 'rsyslog-pstats' **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '2' Description: 'Unknown problem somewhere in the system.' so,i think the rules has wrong,but i don't konw,what wrong with rule? thanksBest Regards 发件人: root 发送时间: 2013-02-28 15:40 收件人: ossec-list 主题: 回复: about ossec rules Regular Expression Syntax and what means is extra_data in rules? support it Regular Expression Syntax ? now my rules is group name=local,rsyslog, rule id=1050001 level=7 decoded_asrsyslog-pstats/decoded_as regex^\S+\s+\d+:\s+\S+\s+failed=(\d+)/regex extra_data^[1-9]+/extra_data descriptionRsyslog Failed/description /rule /group look like can not work? thanksBest Regards 发件人: root 发送时间: 2013-02-28 15:33 收件人: ossec-list 主题: about ossec rules Regular Expression Syntax hi,all I got a question,that is about about ossec rules Regular Expression Syntax . we konw,when i want match the number,i can use \d or \d+ but now,if i has string like this failed=0==failed=(\d+) i want exclude 0, i use failed=([1-9]+),can not match it.. how can i do? thanksBest Regards -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] about ossec rules Regular Expression Syntax
On Thu, Feb 28, 2013 at 7:15 AM, root r...@cnmoker.org wrote: so,thks i think that extra_data can match in rules after at regex :( The problem is that you are not populating extra_data in your decoder. You said you are using the following decoder: decoder name=rsyslog-pstats program_name^rsyslogd-pstats/program_name /decoder So running the log message through ossec-logtest with that decoder produces: 2013/02/28 09:02:42 ossec-testrule: INFO: Reading local decoder file. 2013/02/28 09:02:42 ossec-testrule: INFO: Started (pid: 7873). ossec-testrule: Type one log per line. **Phase 1: Completed pre-decoding. full event: '2013-02-27T19:06:08.807161+08:00 localhost rsyslogd-pstats: imudp(*:514): submitted=0' hostname: 'localhost' program_name: 'rsyslogd-pstats' log: 'imudp(*:514): submitted=0' **Phase 2: Completed decoding. decoder: 'rsyslog-pstats' As you can see there is no extra_data field in Phase 2. I think the decoder I provided the other day looked something like this: decoder name=rsyslog-pstats program_name^rsyslogd-pstats/program_name regex^\S+\p\S+:\d+\p: submitted=(\d+)$/regex orderextra_data/order /decoder Using this decoder and the same log message I now get: 2013/02/28 09:06:17 ossec-testrule: INFO: Reading local decoder file. 2013/02/28 09:06:17 ossec-testrule: INFO: Started (pid: 19646). ossec-testrule: Type one log per line. **Phase 1: Completed pre-decoding. full event: '2013-02-27T19:06:08.807161+08:00 localhost rsyslogd-pstats: imudp(*:514): submitted=0' hostname: 'localhost' program_name: 'rsyslogd-pstats' log: 'imudp(*:514): submitted=0' **Phase 2: Completed decoding. decoder: 'rsyslog-pstats' extra_data: '0' As you can see the extra_data is now populated in Phase 2, and it should be available for use in rules. If you want to create an alert for 0 submitted widgets, you could do something like this: rule id=21 level=7 decoded_asrsyslog-pstats/decoded_as extra_data0/extra_data description0 widgets!/description /rule thanksBest Regards 发件人: dan (ddp) 发送时间: 2013-02-28 19:32 收件人: ossec-list 主题: Re: [ossec-list] about ossec rules Regular Expression Syntax On Feb 28, 2013 6:26 AM, root r...@cnmoker.org wrote: hi about this problem,look this my decoder is decoder name=rsyslog-pstats program_name^rsyslogd-pstats/program_name /decoder You aren't decoding an extra_data entey here, so your rule will never match. The second example I wrote for you decoded this properly. my testrule is group name=local,rsyslog, rule id=1050001 level=7 decoded_asrsyslog-pstats/decoded_as regex^\S+\s+\d+:\s+\S+\s+failed=(\d+)/regex extra_data0/extra_data descriptionRsyslog Failed/description /rule /group log test [root@localhost bin]# ./ossec-logtest 2013/02/28 17:15:30 ossec-testrule: INFO: Reading local decoder file. 2013/02/28 17:15:30 ossec-testrule: INFO: Started (pid: 12165). ossec-testrule: Type one log per line. 2013-02-27T19:06:08.807156+08:00 localhost rsyslogd-pstats: action 7: processed=0 failed=0 **Phase 1: Completed pre-decoding. full event: '2013-02-27T19:06:08.807156+08:00 localhost rsyslogd-pstats: action 7: processed=0 failed=0' hostname: 'localhost' program_name: 'rsyslogd-pstats' log: 'action 7: processed=0 failed=0' **Phase 2: Completed decoding. decoder: 'rsyslog-pstats' **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '2' Description: 'Unknown problem somewhere in the system.' so,i think the rules has wrong,but i don't konw,what wrong with rule? thanksBest Regards 发件人: root 发送时间: 2013-02-28 15:40 收件人: ossec-list 主题: 回复: about ossec rules Regular Expression Syntax and what means is extra_data in rules? support it Regular Expression Syntax ? now my rules is group name=local,rsyslog, rule id=1050001 level=7 decoded_asrsyslog-pstats/decoded_as regex^\S+\s+\d+:\s+\S+\s+failed=(\d+)/regex extra_data^[1-9]+/extra_data descriptionRsyslog Failed/description /rule /group look like can not work? thanksBest Regards 发件人: root 发送时间: 2013-02-28 15:33 收件人: ossec-list 主题: about ossec rules Regular Expression Syntax hi,all I got a question,that is about about ossec rules Regular Expression Syntax . we konw,when i want match the number,i can use \d or \d+ but now,if i has string like this failed=0==failed=(\d+) i want exclude 0, i use failed=([1-9]+),can not match it.. how can i do? thanksBest Regards -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to
回复: Re: [ossec-list] about ossec rules Regular Expression Syntax
hi OK,i konw that,thks. but now i have a new problem if i want assign non-zero value tigger alert,how can i do? in the rules,i write submitted=([^0]+) or submitted=([1-9]+) all wrong! thanksBest Regards 发件人: dan (ddp) 发送时间: 2013-02-28 22:13 收件人: ossec-list 主题: Re: [ossec-list] about ossec rules Regular Expression Syntax On Thu, Feb 28, 2013 at 7:15 AM, root r...@cnmoker.org wrote: so,thks i think that extra_data can match in rules after at regex :( The problem is that you are not populating extra_data in your decoder. You said you are using the following decoder: decoder name=rsyslog-pstats program_name^rsyslogd-pstats/program_name /decoder So running the log message through ossec-logtest with that decoder produces: 2013/02/28 09:02:42 ossec-testrule: INFO: Reading local decoder file. 2013/02/28 09:02:42 ossec-testrule: INFO: Started (pid: 7873). ossec-testrule: Type one log per line. **Phase 1: Completed pre-decoding. full event: '2013-02-27T19:06:08.807161+08:00 localhost rsyslogd-pstats: imudp(*:514): submitted=0' hostname: 'localhost' program_name: 'rsyslogd-pstats' log: 'imudp(*:514): submitted=0' **Phase 2: Completed decoding. decoder: 'rsyslog-pstats' As you can see there is no extra_data field in Phase 2. I think the decoder I provided the other day looked something like this: decoder name=rsyslog-pstats program_name^rsyslogd-pstats/program_name regex^\S+\p\S+:\d+\p: submitted=(\d+)$/regex orderextra_data/order /decoder Using this decoder and the same log message I now get: 2013/02/28 09:06:17 ossec-testrule: INFO: Reading local decoder file. 2013/02/28 09:06:17 ossec-testrule: INFO: Started (pid: 19646). ossec-testrule: Type one log per line. **Phase 1: Completed pre-decoding. full event: '2013-02-27T19:06:08.807161+08:00 localhost rsyslogd-pstats: imudp(*:514): submitted=0' hostname: 'localhost' program_name: 'rsyslogd-pstats' log: 'imudp(*:514): submitted=0' **Phase 2: Completed decoding. decoder: 'rsyslog-pstats' extra_data: '0' As you can see the extra_data is now populated in Phase 2, and it should be available for use in rules. If you want to create an alert for 0 submitted widgets, you could do something like this: rule id=21 level=7 decoded_asrsyslog-pstats/decoded_as extra_data0/extra_data description0 widgets!/description /rule thanksBest Regards 发件人: dan (ddp) 发送时间: 2013-02-28 19:32 收件人: ossec-list 主题: Re: [ossec-list] about ossec rules Regular Expression Syntax On Feb 28, 2013 6:26 AM, root r...@cnmoker.org wrote: hi about this problem,look this my decoder is decoder name=rsyslog-pstats program_name^rsyslogd-pstats/program_name /decoder You aren't decoding an extra_data entey here, so your rule will never match. The second example I wrote for you decoded this properly. my testrule is group name=local,rsyslog, rule id=1050001 level=7 decoded_asrsyslog-pstats/decoded_as regex^\S+\s+\d+:\s+\S+\s+failed=(\d+)/regex extra_data0/extra_data descriptionRsyslog Failed/description /rule /group log test [root@localhost bin]# ./ossec-logtest 2013/02/28 17:15:30 ossec-testrule: INFO: Reading local decoder file. 2013/02/28 17:15:30 ossec-testrule: INFO: Started (pid: 12165). ossec-testrule: Type one log per line. 2013-02-27T19:06:08.807156+08:00 localhost rsyslogd-pstats: action 7: processed=0 failed=0 **Phase 1: Completed pre-decoding. full event: '2013-02-27T19:06:08.807156+08:00 localhost rsyslogd-pstats: action 7: processed=0 failed=0' hostname: 'localhost' program_name: 'rsyslogd-pstats' log: 'action 7: processed=0 failed=0' **Phase 2: Completed decoding. decoder: 'rsyslog-pstats' **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '2' Description: 'Unknown problem somewhere in the system.' so,i think the rules has wrong,but i don't konw,what wrong with rule? thanksBest Regards 发件人: root 发送时间: 2013-02-28 15:40 收件人: ossec-list 主题: 回复: about ossec rules Regular Expression Syntax and what means is extra_data in rules? support it Regular Expression Syntax ? now my rules is group name=local,rsyslog, rule id=1050001 level=7 decoded_asrsyslog-pstats/decoded_as regex^\S+\s+\d+:\s+\S+\s+failed=(\d+)/regex extra_data^[1-9]+/extra_data descriptionRsyslog Failed/description /rule /group look like can not work? thanksBest Regards 发件人: root 发送时间: 2013-02-28 15:33 收件人: ossec-list 主题: about ossec rules Regular Expression Syntax hi,all I got a question,that is about about ossec rules Regular Expression Syntax . we konw,when i want match the number,i can use \d or \d+ but now,if i has string like this failed=0==failed=(\d+) i want exclude 0, i
Re: [ossec-list] about ossec rules Regular Expression Syntax
sorry,i is not see you email for this You can't really. The best option I can think of is to create your rule matching any number, then creating a rule at level 0 for extra_data of 0. yes,i understand your meaning,thank you. thanksBest Regards 发件人: root 发送时间: 2013-02-28 23:38 收件人: ossec-list 主题: 回复: Re: [ossec-list] about ossec rules Regular Expression Syntax hi OK,i konw that,thks. but now i have a new problem if i want assign non-zero value tigger alert,how can i do? in the rules,i write submitted=([^0]+) or submitted=([1-9]+) all wrong! thanksBest Regards 发件人: dan (ddp) 发送时间: 2013-02-28 22:13 收件人: ossec-list 主题: Re: [ossec-list] about ossec rules Regular Expression Syntax On Thu, Feb 28, 2013 at 7:15 AM, root r...@cnmoker.org wrote: so,thks i think that extra_data can match in rules after at regex :( The problem is that you are not populating extra_data in your decoder. You said you are using the following decoder: decoder name=rsyslog-pstats program_name^rsyslogd-pstats/program_name /decoder So running the log message through ossec-logtest with that decoder produces: 2013/02/28 09:02:42 ossec-testrule: INFO: Reading local decoder file. 2013/02/28 09:02:42 ossec-testrule: INFO: Started (pid: 7873). ossec-testrule: Type one log per line. **Phase 1: Completed pre-decoding. full event: '2013-02-27T19:06:08.807161+08:00 localhost rsyslogd-pstats: imudp(*:514): submitted=0' hostname: 'localhost' program_name: 'rsyslogd-pstats' log: 'imudp(*:514): submitted=0' **Phase 2: Completed decoding. decoder: 'rsyslog-pstats' As you can see there is no extra_data field in Phase 2. I think the decoder I provided the other day looked something like this: decoder name=rsyslog-pstats program_name^rsyslogd-pstats/program_name regex^\S+\p\S+:\d+\p: submitted=(\d+)$/regex orderextra_data/order /decoder Using this decoder and the same log message I now get: 2013/02/28 09:06:17 ossec-testrule: INFO: Reading local decoder file. 2013/02/28 09:06:17 ossec-testrule: INFO: Started (pid: 19646). ossec-testrule: Type one log per line. **Phase 1: Completed pre-decoding. full event: '2013-02-27T19:06:08.807161+08:00 localhost rsyslogd-pstats: imudp(*:514): submitted=0' hostname: 'localhost' program_name: 'rsyslogd-pstats' log: 'imudp(*:514): submitted=0' **Phase 2: Completed decoding. decoder: 'rsyslog-pstats' extra_data: '0' As you can see the extra_data is now populated in Phase 2, and it should be available for use in rules. If you want to create an alert for 0 submitted widgets, you could do something like this: rule id=21 level=7 decoded_asrsyslog-pstats/decoded_as extra_data0/extra_data description0 widgets!/description /rule thanksBest Regards 发件人: dan (ddp) 发送时间: 2013-02-28 19:32 收件人: ossec-list 主题: Re: [ossec-list] about ossec rules Regular Expression Syntax On Feb 28, 2013 6:26 AM, root r...@cnmoker.org wrote: hi about this problem,look this my decoder is decoder name=rsyslog-pstats program_name^rsyslogd-pstats/program_name /decoder You aren't decoding an extra_data entey here, so your rule will never match. The second example I wrote for you decoded this properly. my testrule is group name=local,rsyslog, rule id=1050001 level=7 decoded_asrsyslog-pstats/decoded_as regex^\S+\s+\d+:\s+\S+\s+failed=(\d+)/regex extra_data0/extra_data descriptionRsyslog Failed/description /rule /group log test [root@localhost bin]# ./ossec-logtest 2013/02/28 17:15:30 ossec-testrule: INFO: Reading local decoder file. 2013/02/28 17:15:30 ossec-testrule: INFO: Started (pid: 12165). ossec-testrule: Type one log per line. 2013-02-27T19:06:08.807156+08:00 localhost rsyslogd-pstats: action 7: processed=0 failed=0 **Phase 1: Completed pre-decoding. full event: '2013-02-27T19:06:08.807156+08:00 localhost rsyslogd-pstats: action 7: processed=0 failed=0' hostname: 'localhost' program_name: 'rsyslogd-pstats' log: 'action 7: processed=0 failed=0' **Phase 2: Completed decoding. decoder: 'rsyslog-pstats' **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '2' Description: 'Unknown problem somewhere in the system.' so,i think the rules has wrong,but i don't konw,what wrong with rule? thanksBest Regards 发件人: root 发送时间: 2013-02-28 15:40 收件人: ossec-list 主题: 回复: about ossec rules Regular Expression Syntax and what means is extra_data in rules? support it Regular Expression Syntax ? now my rules is group name=local,rsyslog, rule id=1050001 level=7 decoded_asrsyslog-pstats/decoded_as regex^\S+\s+\d+:\s+\S+\s+failed=(\d+)/regex extra_data^[1-9]+/extra_data descriptionRsyslog Failed/description /rule /group look like can not work?
Re: [ossec-list] Re: alerts.log to database
Thanks for your reply. I have looked at that script but it says (if I understood) that I have to create another table and it is for integrating ossec with base (or acid) from snort. I'm wrong ? 2013/2/28 Jb Cheng jjoob...@gmail.com Take a look at the contributed PERL script --- ossec-hids/contrib/ ossec2mysql.pl. It may be able to achieve what you are trying to accomplish. On Tuesday, February 26, 2013 11:15:50 PM UTC-8, Alejandro wrote: Hi, I'm logging information to mysql. I had a problem one day with database and lost all logging of these day to database (the database was stopped), but file logging was OK. I see that the file ossec-alerts-[day].log.gz (located on /var/ossec/logs/alerts/Year/**Month/ has information. How can I use that file to send the data to database and populate alerts and data tables with that lost day ? Thanks -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Maximum number of agents allowed:
The only issues you have to keep in mind are the maxagents - pretty simple - but there is another hidden setting in the client keys creation that is in the code. Set to 4000 by default. Have to edit that and set it to whatever. I fixed the makefile to do it when you change the setmaxagents. The value is -- in validate.c in ~/src/addagent folder. in the Makeall you will find this code: # Increasing maximum number of agents if [ X$1 = Xsetmaxagents ]; then echo -n Specify maximum number of agents: ; read AGMAX echo HEXTRA=-DMAX_AGENTS=$AGMAX ./Config.OS echo Maximum number of agents set to $AGMAX. exit 0; fi and I updated mine to change the value in validate.c as well. # Increasing maximum number of agents if [ X$1 = Xsetmaxagents ]; then echo -n Specify maximum number of agents: ; read AGMAX echo HEXTRA=-DMAX_AGENTS=$AGMAX ./Config.OS sed -i 's/if\(i \\= 4000\)/if\(i = $AGMAX\)/' addagent/validate.c echo Maximum number of agents set to $AGMAX. exit 0; fi -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Re: How to uninstall Ossec from 2.7 on mac mountaion lion
You can uninstall OSSEC by removing all files and directories under /var/ossec/. On Wednesday, February 27, 2013 5:55:18 PM UTC-8, SDR wrote: Hello I'm trying to resintall the application. However, I would like to uninstall the application first because I Keep getting these errors sh-3.2# /var/ossec/ossec-agent/bin/ossec-control start Starting OSSEC HIDS v2.7 (by Trend Micro Inc.)... Started ossec-execd... 2013/02/27 20:53:09 ossec-agentd(1402): ERROR: Authentication key file '/var/ossec/ossec-agent/etc/client.keys' not found. 2013/02/27 20:53:09 ossec-agentd(1750): ERROR: No remote connection configured. Exiting. 2013/02/27 20:53:09 ossec-agentd(4109): ERROR: Unable to start without auth keys. Exiting. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
