Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

How to Add an OSSEC Decoder to an Application

DZone's Guide to

How to Add an OSSEC Decoder to an Application

Madhuka Udantha presents a tutorial on how to add an OSSEC Decoder to the log of an application, how to test it, and information about the child decoder.

· Performance Zone
Free Resource

Each application contains it's own log record format. For example:

web.madhuka.lk 123.231.120.128 - - [27/Dec/2015:03:44:16 +0530] "POST /lksearch.php HTTP/1.1" 200 35765 "http://madhuka.lk/" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"

Here we add new ossec decoder called “custom-apache-access-log”
# /var/ossec/etc/decoder.xml

<decoder name="custom-apache-access-log">
  <program_name>custom-apache-access-log</program_name>
</decoder>

Then test it:

# /var/ossec/bin/ossec-logtest

Image title

It says:

**Phase 2: Completed decoding.
       No decoder matched.

No matching found as we did not write match for our new custom log decoder still. Let write prematch for our decoder

<decoder name="custom-apache-access-log">
    <prematch>^web.madhuka.lk </prematch>
</decoder>

Then run again then it will hit our custom decoder as below:

Image title

Adding new child decoder:

<decoder name="custom1-apache-access-log">
  <parent>custom-apache-access-log</parent>
  <prematch offset="after_parent"> "POST \S+ \S+" </prematch>
  <regex offset="after_parent">^(\S+) - - [(\S+) (\S+)] "POST (\S+) (\S+)" (\d+) (\d+) "(\S+)" "(\S+)"$</regex>
  <order>srcip, extra_data, extra_data, url, srcuser, status, extra_data, extra_data, extra_data</order>
</decoder>

Testing with:

web.madhuka.lk 123.231.120.128 - - [27/Dec/2015:03:44:16 +0530] "POST /lksearch.php HTTP/1.1" 200 35765 "http://madhuka.lk/" "Mozilla/5.0"

Image title

Topics:
performance ,ossec ,log entries

Published at DZone with permission of Madhuka Udantha, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}