[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: support for custom ids log

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: support for custom ids log
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Thu, 18 Jan 2007 23:54:01 -0400
Cc: "shawn reed" <shwn_rd@xxxxxxxxx>
Content-disposition: inline
Content-transfer-encoding: 7bit


Hi Shawn,

You would need to write a decoder for your custom log format. Look
at the file decoders.xml for some examples...

*A simple decoder would be the following:

<decoder name="mycustom-decoder">
  <prematch>^\w+;\w+;\d+</prematch>
  <regex>^(\w+);(\w+);</regex>
  <order>id,system_name</order>
  <fts>name,id,system_name</fts>
</decoder>

It is basically going to create an FTS entry whenever it sees for the first
time an IDS id + system name combination. You can leverage that do
add source ips, protocols, usernames, etc...

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net


On 1/17/07, shawn reed <shwn_rd@xxxxxxxxx> wrote:


Can you tell me if there's already support for me to
use OSSEC correlation engine to analyze custom log
files?

I perform a daily dump from an ids with the following
five fields:

Event_name;Sensor_Name;Nbr_of_Events;Nbr_of_Sources;Nbr_of_Destinations

Can OSSEC read these logs and alert on events that
have never been seen?



____________________________________________________________________________________
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail beta.
http://new.mail.yahoo.com

References:
- [ossec-list] support for custom ids log
  - From: shawn reed

Prev by Date: [ossec-list] Re: Help With Regex
Next by Date: [ossec-list] File Size Limit
Previous by thread: [ossec-list] support for custom ids log
Next by thread: [ossec-list] mac osx agent.
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.