Tomcat log
446 views
Skip to first unread message
Manuel Sánchez
Mar 26, 2024, 6:14:33 AM3/26/24
to Wazuh | Mailing List
Hello, I want to know how to create a decoder to catch this log lines:
21-Feb-2024 14:16:39.031 WARNING [localhost-startStop-2] org.apache.catalina.loader.WebappClassLoaderBase.clearReferencesObjectStreamClassCaches Failed to clear soft references from ObjectStreamClass$Caches for web application [docs]
java.lang.ClassCastException: class java.io.ObjectStreamClass$Caches$1 cannot be cast to class java.util.Map (java.io.ObjectStreamClass$Caches$1 and java.util.Map are in module java.base of loader 'bootstrap')
at org.apache.catalina.loader.WebappClassLoaderBase.clearCache(WebappClassLoaderBase.java:2342)
at org.apache.catalina.loader.WebappClassLoaderBase.clearReferencesObjectStreamClassCaches(WebappClassLoaderBase.java:2317)
at org.apache.catalina.loader.WebappClassLoaderBase.clearReferences(WebappClassLoaderBase.java:1680)
at org.apache.catalina.loader.WebappClassLoaderBase.stop(WebappClassLoaderBase.java:1610)
at org.apache.catalina.loader.WebappLoader.stopInternal(WebappLoader.java:455)
at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:257)
at org.apache.catalina.core.StandardContext.stopInternal(StandardContext.java:5505)
at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:257)
at org.apache.catalina.core.ContainerBase$StopChild.call(ContainerBase.java:1443)
at org.apache.catalina.core.ContainerBase$StopChild.call(ContainerBase.java:1432)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:842)
java.lang.ClassCastException: class java.io.ObjectStreamClass$Caches$1 cannot be cast to class java.util.Map (java.io.ObjectStreamClass$Caches$1 and java.util.Map are in module java.base of loader 'bootstrap')
at org.apache.catalina.loader.WebappClassLoaderBase.clearCache(WebappClassLoaderBase.java:2342)
at org.apache.catalina.loader.WebappClassLoaderBase.clearReferencesObjectStreamClassCaches(WebappClassLoaderBase.java:2317)
at org.apache.catalina.loader.WebappClassLoaderBase.clearReferences(WebappClassLoaderBase.java:1680)
at org.apache.catalina.loader.WebappClassLoaderBase.stop(WebappClassLoaderBase.java:1610)
at org.apache.catalina.loader.WebappLoader.stopInternal(WebappLoader.java:455)
at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:257)
at org.apache.catalina.core.StandardContext.stopInternal(StandardContext.java:5505)
at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:257)
at org.apache.catalina.core.ContainerBase$StopChild.call(ContainerBase.java:1443)
at org.apache.catalina.core.ContainerBase$StopChild.call(ContainerBase.java:1432)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:842)
Thanks!
Ujunwa Okonkwo
Mar 26, 2024, 7:17:45 AM3/26/24
to Wazuh | Mailing List
Hi Manuel,
Thank you for using Wazuh.
To create a decoder, please refer to this blog post https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/ for guidance. Additionally, you can also check out this documentation https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
To create the custom rule you need decoder syntax and regex. The decoders extract the information from the received events. When an event is received, the decoders separate the information into blocks to prepare them for subsequent analysis. Regular expressions or regex are sequences of characters that define a pattern. There are three types of regular expressions: regex (OS_Regex), sregex (OS_Match) and PCRE2. Check out this resource https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html
Once create the decoder you can test that in /var/ossec/bin/wazuh-logtest, as shown in the image attached below. Restart the wazuh-manager if you are satisfied with the result.
Please let me know how it goes.
Manuel Sánchez
Mar 26, 2024, 11:13:15 AM3/26/24
to Wazuh | Mailing List
Hello, and thanks for your answer, but I want to know how to decode multiline logs like I paste
Ujunwa Okonkwo
Mar 27, 2024, 7:01:15 AM3/27/24
to Wazuh | Mailing List
Hi,
The localfile module is used to pick events from specific user-defined paths. Depending on which events you want to monitor, you should go to your manager's or agents' ossec.conf file - or to an agent.conf file if it is an agent centralized configuration - and set a localfile module as follows:
In case your events are multi-line, they need to have a pattern to be able to manipulate them with the multiline-regex - explained here - which you will have to configure it in a localfile module.
The localfile module is used to pick events from specific user-defined paths. Depending on which events you want to monitor, you should go to your manager's or agents' ossec.conf file - or to an agent.conf file if it is an agent centralized configuration - and set a localfile module as follows:
Where the location points the path and filename to be monitored.There you can add the multiline-regex option for multiline events. So for example, the previous localfile will look similar to this:
The log_format needs to be multi-line-regex and in the multiline_regex field, you have to define the pattern for your log events. In the previous example, we considered that your events start with the pattern START_EVENT. So each time that a new START_EVENT pattern appears, it will be considered as a new event. Everything within START_EVENT and till the next START_EVENT pattern will be set into a single line so the manager can process it.
(Thread)
Regards,
Reply all
Reply to author
Forward
0 new messages