Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

How to Add an OSSEC Decoder to an Application

DZone's Guide to

How to Add an OSSEC Decoder to an Application

Madhuka Udantha presents a tutorial on how to add an OSSEC Decoder to the log of an application, how to test it, and information about the child decoder.

· Performance Zone
Free Resource

Download our Introduction to API Performance Testing and learn why testing your API is just as important as testing your website, and how to start today.

Each application contains it's own log record format. For example:

web.madhuka.lk 123.231.120.128 - - [27/Dec/2015:03:44:16 +0530] "POST /lksearch.php HTTP/1.1" 200 35765 "http://madhuka.lk/" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"

Here we add new ossec decoder called “custom-apache-access-log”
# /var/ossec/etc/decoder.xml

<decoder name="custom-apache-access-log">
  <program_name>custom-apache-access-log</program_name>
</decoder>

Then test it:

# /var/ossec/bin/ossec-logtest

Image title

It says:

**Phase 2: Completed decoding.
       No decoder matched.

No matching found as we did not write match for our new custom log decoder still. Let write prematch for our decoder

<decoder name="custom-apache-access-log">
    <prematch>^web.madhuka.lk </prematch>
</decoder>

Then run again then it will hit our custom decoder as below:

Image title

Adding new child decoder:

<decoder name="custom1-apache-access-log">
  <parent>custom-apache-access-log</parent>
  <prematch offset="after_parent"> "POST \S+ \S+" </prematch>
  <regex offset="after_parent">^(\S+) - - [(\S+) (\S+)] "POST (\S+) (\S+)" (\d+) (\d+) "(\S+)" "(\S+)"$</regex>
  <order>srcip, extra_data, extra_data, url, srcuser, status, extra_data, extra_data, extra_data</order>
</decoder>

Testing with:

web.madhuka.lk 123.231.120.128 - - [27/Dec/2015:03:44:16 +0530] "POST /lksearch.php HTTP/1.1" 200 35765 "http://madhuka.lk/" "Mozilla/5.0"

Image title

Find scaling and performance issues before your customers do with our Introduction to High-Capacity Load Testing guide.

Topics:
performance ,ossec ,log entries

Published at DZone with permission of Madhuka Udantha, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}