OSSEC monitors system logs with build-in support, and does a good job. Don't forget OSSEC is also can monitor the custom log file like our app's log. You have to create your own decoder and rule for that.
- Add the log file you want to monitor to ossec.conf
Open up
/var/ossec/etc/ossec.conf <localfile>
<log_format>syslog</log_format>
<location>/var/log/my_app.log</location>
</localfile>- Create a custom decoder
OSSEC uses decoders to parse log files. After it finds the proper decoder for a log, it will parse out fields defined in /var/ossec/etc/decoders.xml, then compare these values to values in rule files - and will trigger an alert when values in the deciphered log file match values specified in rule files.
Decoders exist on the servers, not the agents. Custom decoder should be added to /var/ossec/etc/local_decoders.xml on the server.
The log I want to trigger an alert for looks something like this:
2010-09-25 15:28:42 [node-test]IP:192.1.1.1@reboot.
2010-09-25 15:28:52 [node-test]IP:192.1.1.1@reboot.
2010-09-25 15:29:52 [node-test]IP:192.1.1.1@reboot.
2010-09-25 15:39:52 [node-info]IP:192.1.1.1@reboot.
2010-09-27 16:39:52 [node-info]IP:192.1.1.1@reboot.Open up /var/ossec/etc/local_decoder.xml (you can also use decoder.xml, which already exists, but using local_decoder.xml will assure that you don’t overwrite it on upgrade). First, we want to create a decoder that will match the first part of the log entry. We’ll use the date and first few characters to grab it using a regular expression.
The decoder file like below:
<decoder name="nodeerror">
<prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d [node-test]</prematch>
</decoder>
<decoder name="nodeerror-alert">
<parent>nodeerror</parent>
<regex offset="after_parent">IP:(\d+.\d+.\d+.\d+)@(\w+)</regex>
<order>url,action</order>
</decoder>Save your local_decoder.xml and let’s run the log file through ossec-logtest.
#/var/ossec/bin/ossec-logtest2010-09-25 15:28:42 [node-test]IP:192.1.1.1@reboot.
**Phase 1: Completed pre-decoding.
full event: '2010-09-25 15:28:42 [node-test]IP:192.1.1.1@reboot.'
hostname: 'pms-srv01'
program_name: '(null)'
log: '2010-09-25 15:28:42 [node-test]IP:192.1.1.1@reboot.'
**Phase 2: Completed decoding.
decoder: 'nodeerror'
url: '192.1.1.1'
action: 'reboot'
**Phase 3: Completed filtering (rules).
Rule id: '700006'
Level: '8'
Description: 'reboot happens!'
**Alert to be generated.Looks good! It found our decoder and extracted the fields the way we want ‘em. Now, we’re ready to write local rules.
- Write custom rules
Open /var/ossec/rules/local_rules.xml, and add below in.
<rule id="700005" level="0">
<decoded_as>nodeerror</decoded_as>
<description>Custom node Alert</description>
</rule>
<!-- Alert -->
<rule id="700006" level="8">
<if_sid>700005</if_sid>
<action>reboot</action>
<options>alert_by_email</options>
<description>reboot happens!</description>
</rule>Save your local_rules.xml file, Now, we are ready to restart OSSEC and check alert.
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
