No Decoder Match Problem
683 views
Skip to first unread message
Akash Munjal
Jun 9, 2017, 11:21:00 AM6/9/17
to ossec-list
Hi,
I create custom decoder, /var/ossec/etc/local_decoder.xml as:
<decoder name="myapplication">
<program_name>myapplication</program_name>
<prematch>^myapplication: </prematch>
</decoder>
Entry of decoder in manager ossec.conf file as:
<rules>
<include>local_rules.xml</include>
<decoder>etc/decoder.xml</decoder>
<decoder>etc/local_decoder.xml</decoder>
<decoder_dir>rules/plugins</decoder_dir>
</rules>
when i run logtest command it show this:
/var/ossec/bin/ossec-logtest
2017/06/09 20:08:54 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2017/06/09 20:08:54 ossec-testrule: INFO: Reading decoder file etc/local_decoder.xml.
2017/06/09 20:08:54 ossec-testrule: INFO: Started (pid: 21573).
ossec-testrule: Type one log per line.
myapplication: This is a test
**Phase 1: Completed pre-decoding.
full event: 'myapplication: This is a test'
hostname: 'ip-x.x.x.x'
program_name: '(null)'
log: 'myapplication: This is a test'
**Phase 2: Completed decoding.
No decoder matched.
#### I follow this link as below:
https://www.alienvault.com/documentation/usm-appliance/ids-configuration/process-reading-log-file-with-hids-agent-windows.htm
Anyone can help me out in this.
Thanks.......
dan (ddp)
Jun 10, 2017, 8:16:58 PM6/10/17
to ossec...@googlegroups.com
not how the event was decoded.
> log: 'myapplication: This is a test'
>
> **Phase 2: Completed decoding.
> No decoder matched.
>
> #### I follow this link as below:
>
> https://www.alienvault.com/documentation/usm-appliance/ids-configuration/process-reading-log-file-with-hids-agent-windows.htm
>
>
> Anyone can help me out in this.
>
> Thanks.......
>
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Jesus Linares
Jun 12, 2017, 5:56:58 AM6/12/17
to ossec-list
Hi Akash,
the OSSEC engine has 3 phases: pre-decoding, decoding, rule matching.
The pre-decoding is done automatically by OSSEC (at c level):
**Phase 1: Completed pre-decoding.
full event: 'myapplication: This is a test'
hostname: 'ip-10-0-0-10'
program_name: '(null)'
log: 'myapplication: This is a test'You have to create your decoders based on the information extracted on the phase 1:
- If pre-decoding extracts program_name, use program_name in your parent decoder.
- Otherwise, use prematch
So, you must to use prematch, because your program_name is null.
<decoder name="test">
<prematch>myapplication: </prematch>
</decoder>
<decoder name="test-fields">
<parent>test</parent>
<prematch offset="after_parent">this</prematch>
<regex offset="after_parent">(\S+)</regex>
<order>extra_data</order>
</decoder>myapplication: This is a test
**Phase 1: Completed pre-decoding.
full event: 'myapplication: This is a test'
hostname: 'ip-10-0-0-10'
program_name: '(null)'
log: 'myapplication: This is a test'
**Phase 2: Completed decoding.
decoder: 'test'
extra_data: 'This'I hope it helps.
Regards.
Akash Munjal
Jun 12, 2017, 10:54:48 AM6/12/17
to ossec-list
thanks dan & Jesus Linares for your help....
Don_Johny
Sep 4, 2018, 7:41:42 AM9/4/18
to ossec-list
Hello sorry for bothering you, but maybe you could help me with my custom decoder(which doesnt work).I wanna create a custom decoder to alert my on email when i put some text like 'error".
log file format:
2018-09-03 WARN test
2018-09-03 ERROR test text to be alerted
2018-09-03 INFO
2018-09-03 WARN test error text
Reply all
Reply to author
Forward
0 new messages