Over a million developers have joined DZone.

How to Add an OSSEC Decoder to an Application

DZone's Guide to

How to Add an OSSEC Decoder to an Application

Madhuka Udantha presents a tutorial on how to add an OSSEC Decoder to the log of an application, how to test it, and information about the child decoder.

· Performance Zone ·
Free Resource

Sensu is an open source monitoring event pipeline. Try it today.

Each application contains it's own log record format. For example:

web.madhuka.lk - - [27/Dec/2015:03:44:16 +0530] "POST /lksearch.php HTTP/1.1" 200 35765 "http://madhuka.lk/" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"

Here we add new ossec decoder called “custom-apache-access-log”
# /var/ossec/etc/decoder.xml

<decoder name="custom-apache-access-log">

Then test it:

# /var/ossec/bin/ossec-logtest

Image title

It says:

**Phase 2: Completed decoding.
       No decoder matched.

No matching found as we did not write match for our new custom log decoder still. Let write prematch for our decoder

<decoder name="custom-apache-access-log">
    <prematch>^web.madhuka.lk </prematch>

Then run again then it will hit our custom decoder as below:

Image title

Adding new child decoder:

<decoder name="custom1-apache-access-log">
  <prematch offset="after_parent"> "POST \S+ \S+" </prematch>
  <regex offset="after_parent">^(\S+) - - [(\S+) (\S+)] "POST (\S+) (\S+)" (\d+) (\d+) "(\S+)" "(\S+)"$</regex>
  <order>srcip, extra_data, extra_data, url, srcuser, status, extra_data, extra_data, extra_data</order>

Testing with:

web.madhuka.lk - - [27/Dec/2015:03:44:16 +0530] "POST /lksearch.php HTTP/1.1" 200 35765 "http://madhuka.lk/" "Mozilla/5.0"

Image title

Sensu: workflow automation for monitoring. Learn more—download the whitepaper.

performance ,ossec ,log entries

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}