[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: filter rules on host and log file?

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: filter rules on host and log file?
From: JM <ubahmapk@xxxxxxxxx>
Date: Mon, 1 Oct 2007 10:30:05 -0500
Authentication-results: mx.google.com; spf=pass (google.com: domain of ubahmapk@xxxxxxxxx designates 64.233.166.176 as permitted sender) smtp.mail=ubahmapk@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=3Xv1F4VsR7XqXLXyPP/Gg44FnHh5qO1DMoaquBzemvw=; b=csQ96zbfsxAakoAhXmmqbpEJS5R9uaEXCyvViWvDJAvttU464DxqrEWWWhBRMxOIWqv/1r0RmM21w0AyjgvAI7v8TXlJWSRxcKEA712vmQ8DrkE3+cEMgGDl3auZHH2vOytXeSByaBcV7ECUl/Xvnei+nSg9DcnnGgO21Cbtp5M=

On 9/30/07, Daniel Cid <daniel.cid@xxxxxxxxx> wrote:
>
> Hi JM,
>
> I think you are confusing it a bit. The logformat in the "localfile"
> configuration is only
> used to tell ossec how to read the logs, not anything else. In fact,
> the apache, squid,
> syslog fields act the same in there (all one entry per line logs)...
>
> What determines the "category" of them is the decoder. If the decoder
> reads a PIX
> log, it will set it to the "firewall" category or if it reads a apache
> log, it will set it as
> web_log (look at the decoders.xml and the type tags).
>

That makes sense.  Thanks for the clarification.

> Regarding your log, our decoder is not treating it properly as a
> firewall because it has an additional hostname in there.
[trim]
> *btw, you can keep the additional timestamp in there, but not the
> extra hostname.
>

Ok, so I examined the decoder.xml file and found the location that
detects PIX/ASA.  I then copied the lines and commented out a pair (so
I could undo any damage I might cause.. :-)

I added a \w+ in between the date and the %ASA-... to match the extra
hostname and -- WOW!  I'm getting much better alerts now! :-D

> Hope it helps.
>

Tremendously!

Thanks again.

JM

Prev by Date: [ossec-list] Re: Active Responses
Next by Date: [ossec-list] detecting sector changes on disk-space without a filesystem
Previous by thread: [ossec-list] Re: Active Responses
Next by thread: [ossec-list] Re: filter rules on host and log file?
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.