Over a million developers have joined DZone.

How to Add an OSSEC Decoder to an Application

DZone's Guide to

How to Add an OSSEC Decoder to an Application

Madhuka Udantha presents a tutorial on how to add an OSSEC Decoder to the log of an application, how to test it, and information about the child decoder.

· Performance Zone ·
Free Resource

SignalFx is the only real-time cloud monitoring platform for infrastructure, microservices, and applications. The platform collects metrics and traces across every component in your cloud environment, replacing traditional point tools with a single integrated solution that works across the stack.

Each application contains it's own log record format. For example:

web.madhuka.lk - - [27/Dec/2015:03:44:16 +0530] "POST /lksearch.php HTTP/1.1" 200 35765 "http://madhuka.lk/" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"

Here we add new ossec decoder called “custom-apache-access-log”
# /var/ossec/etc/decoder.xml

<decoder name="custom-apache-access-log">

Then test it:

# /var/ossec/bin/ossec-logtest

Image title

It says:

**Phase 2: Completed decoding.
       No decoder matched.

No matching found as we did not write match for our new custom log decoder still. Let write prematch for our decoder

<decoder name="custom-apache-access-log">
    <prematch>^web.madhuka.lk </prematch>

Then run again then it will hit our custom decoder as below:

Image title

Adding new child decoder:

<decoder name="custom1-apache-access-log">
  <prematch offset="after_parent"> "POST \S+ \S+" </prematch>
  <regex offset="after_parent">^(\S+) - - [(\S+) (\S+)] "POST (\S+) (\S+)" (\d+) (\d+) "(\S+)" "(\S+)"$</regex>
  <order>srcip, extra_data, extra_data, url, srcuser, status, extra_data, extra_data, extra_data</order>

Testing with:

web.madhuka.lk - - [27/Dec/2015:03:44:16 +0530] "POST /lksearch.php HTTP/1.1" 200 35765 "http://madhuka.lk/" "Mozilla/5.0"

Image title

SignalFx is built on a massively scalable streaming architecture that applies advanced predictive analytics for real-time problem detection. With its NoSample™ distributed tracing capabilities, SignalFx reliably monitors all transactions across microservices, accurately identifying all anomalies. And through data-science-powered directed troubleshooting SignalFx guides the operator to find the root cause of issues in seconds.

performance ,ossec ,log entries

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}