I thought since the Phase 1 picked up the hostname as the status I was screwed from collecting it with regex but I was wrong. here is my local_decoder for it:
<decoder name="atlassian">
<prematch>[\.+]\s+[\.+]</prematch>
<regex>(.*)</regex>
<order>extra_data</order>
</decoder>
<decoder name="atlassian">
<prematch>NotificationException: com.sun.mail.smtp.SMTPSendFailedException: </prematch>
<regex offset="after_prematch">(.*)</regex>
<order>extra_data</order>
</decoder>
<decoder name="atlassian-event">
<parent>atlassian</parent>
<regex>\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d\d\d\s+(INFO)|(WARN)|(ERROR)</regex>
<order>status</order>
</decoder>
local_rules:
<group name="atlassian,">
<rule id="100150" level="1">
<decoded_as>atlassian</decoded_as>
<hostname>INFO</hostname>
<description>Atlassian Info Event</description>
</rule>
<rule id="100151" level="8">
<decoded_as>atlassian</decoded_as>
<hostname>WARN</hostname>
<description>Atlassian Warn Event</description>
</rule>
<rule id="100152" level="10">
<decoded_as>atlassian</decoded_as>
<hostname>ERROR</hostname>
<description>Atlassian Error Event</description>
</rule>
<rule id="100153" level="1">
<decoded_as>atlassian</decoded_as>
<if_sid>100151</if_sid>
<match>ROLE_ANONYMOUS</match>
<description>Atlassian Ignore Event</description>
</rule>
<rule id="100154" level="10">
<decoded_as>atlassian</decoded_as>
<if_sid>100151</if_sid>
<hostname>WARN</hostname>
<regex>Remote agent\s'\.+'\swas unresponsive and has gone offline.</regex>
<description>Atlassian Bamboo Agent Disconnected Event</description>
</rule>
</group>
It works for like 99% of my events however randomly OSSEC will report them with rule id 1002 even though ossec-logtest reports it's my custom event:
2019-06-04 13:42:34,673 ERROR [Caesium-1-2] [atlassian.core.task.AbstractErrorQueuedTaskQueue] handleException com.atlassian.mail.MailException: com.sun.mail.smtp.SMTPSendFailedException: 550 5.1. 10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup
**Phase 1: Completed pre-decoding.
full event: '2019-06-04 13:42:34,673 ERROR [Caesium-1-2] [atlassian.core.task.AbstractErrorQueuedTaskQueue] handleException com.atlassian.mail.MailException: com.sun.mail.smtp.SMTPSendFaile dException: 550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup'
hostname: 'ERROR'
program_name: '(null)'
log: '[Caesium-1-2] [atlassian.core.task.AbstractErrorQueuedTaskQueue] handleException com.atlassian.mail.MailException: com.sun.mail.smtp.SMTPSendFailedException: 550 5.1.10 RESOLVER.ADR.R ecipientNotFound; Recipient not found by SMTP address lookup'
**Phase 2: Completed decoding.
decoder: 'atlassian'
status: 'Error'
**Phase 3: Completed filtering (rules).
Rule id: '100152'
Level: '10'
Description: 'Atlassian Error Event'
**Alert to be generated.
Email received:
OSSEC HIDS Notification.
2019 Jun 04 13:42:36
Received From: (confluence1)
IP->/var/atlassian/application-data/confluence/logs/atlassian-confluence.log
Rule: 1002 fired (level 2) -> "Unknown problem
somewhere in the system."
Portion of the log(s):
2019-06-04 13:42:34,673 ERROR [Caesium-1-2]
[atlassian.core.task.AbstractErrorQueuedTaskQueue] handleException
com.atlassian.mail.MailException: com.sun.mail.smtp.SMTPSendFailedException:
550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup
Is this a bug? ossec-logtest properly detects the rule but the service isn't following them or is it because the status is the hostname it causes this rule detection breaks down?