How to Add an OSSEC Decoder to an Application
Madhuka Udantha presents a tutorial on how to add an OSSEC Decoder to the log of an application, how to test it, and information about the child decoder.
Join the DZone community and get the full member experience.
Join For FreeEach application contains it's own log record format. For example:
web.madhuka.lk 123.231.120.128 - - [27/Dec/2015:03:44:16 +0530] "POST /lksearch.php HTTP/1.1" 200 35765 "http://madhuka.lk/" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
Here we add new ossec decoder called “custom-apache-access-log”
# /var/ossec/etc/decoder.xml
<decoder name="custom-apache-access-log">
<program_name>custom-apache-access-log</program_name>
</decoder>
Then test it:
# /var/ossec/bin/ossec-logtest
It says:
**Phase 2: Completed decoding.
No decoder matched.
No matching found as we did not write match for our new custom log decoder still. Let write prematch for our decoder
<decoder name="custom-apache-access-log">
<prematch>^web.madhuka.lk </prematch>
</decoder>
Then run again then it will hit our custom decoder as below:
Adding new child decoder:
<decoder name="custom1-apache-access-log">
<parent>custom-apache-access-log</parent>
<prematch offset="after_parent"> "POST \S+ \S+" </prematch>
<regex offset="after_parent">^(\S+) - - [(\S+) (\S+)] "POST (\S+) (\S+)" (\d+) (\d+) "(\S+)" "(\S+)"$</regex>
<order>srcip, extra_data, extra_data, url, srcuser, status, extra_data, extra_data, extra_data</order>
</decoder>
Testing with:
web.madhuka.lk 123.231.120.128 - - [27/Dec/2015:03:44:16 +0530] "POST /lksearch.php HTTP/1.1" 200 35765 "http://madhuka.lk/" "Mozilla/5.0"
Topics:
performance,
ossec,
log entries
Published at DZone with permission of Madhuka Udantha, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments