How to Add an OSSEC Decoder to an Application
How to Add an OSSEC Decoder to an Application
Madhuka Udantha presents a tutorial on how to add an OSSEC Decoder to the log of an application, how to test it, and information about the child decoder.
Join the DZone community and get the full member experience.
Join For FreeSignalFx is the only real-time cloud monitoring platform for infrastructure, microservices, and applications. The platform collects metrics and traces across every component in your cloud environment, replacing traditional point tools with a single integrated solution that works across the stack.
Each application contains it's own log record format. For example:
web.madhuka.lk 123.231.120.128 - - [27/Dec/2015:03:44:16 +0530] "POST /lksearch.php HTTP/1.1" 200 35765 "http://madhuka.lk/" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
Here we add new ossec decoder called “custom-apache-access-log”
# /var/ossec/etc/decoder.xml
<decoder name="custom-apache-access-log">
<program_name>custom-apache-access-log</program_name>
</decoder>
Then test it:
# /var/ossec/bin/ossec-logtest
It says:
**Phase 2: Completed decoding.
No decoder matched.
No matching found as we did not write match for our new custom log decoder still. Let write prematch for our decoder
<decoder name="custom-apache-access-log">
<prematch>^web.madhuka.lk </prematch>
</decoder>
Then run again then it will hit our custom decoder as below:
Adding new child decoder:
<decoder name="custom1-apache-access-log">
<parent>custom-apache-access-log</parent>
<prematch offset="after_parent"> "POST \S+ \S+" </prematch>
<regex offset="after_parent">^(\S+) - - [(\S+) (\S+)] "POST (\S+) (\S+)" (\d+) (\d+) "(\S+)" "(\S+)"$</regex>
<order>srcip, extra_data, extra_data, url, srcuser, status, extra_data, extra_data, extra_data</order>
</decoder>
Testing with:
web.madhuka.lk 123.231.120.128 - - [27/Dec/2015:03:44:16 +0530] "POST /lksearch.php HTTP/1.1" 200 35765 "http://madhuka.lk/" "Mozilla/5.0"
SignalFx is built on a massively scalable streaming architecture that applies advanced predictive analytics for real-time problem detection. With its NoSample™ distributed tracing capabilities, SignalFx reliably monitors all transactions across microservices, accurately identifying all anomalies. And through data-science-powered directed troubleshooting SignalFx guides the operator to find the root cause of issues in seconds.
Like This Article? Read More From DZone
Published at DZone with permission of Madhuka Udantha , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
{{ parent.title || parent.header.title}}
{{ parent.tldr }}
{{ parent.linkDescription }}
{{ parent.urlSource.name }}