安徽快3今天开奖号|免费安徽快3过滤工具|
我们来自五湖四海,不为别的,只因有共同的爱好,为中国互联网发展出一分力!

OSSEC Monitor your App log file

2013年08月22日16:52 阅读: 20939 次
OSSEC Monitor your App log file
 
OSSEC monitors system logs with build-in support, and does a good job. Don't forget OSSEC is also can monitor the custom log file like our app's log. You have to create your own decoder and rule for that.
 
Add the log file you want to monitor to ossec.conf
 
Open up 
 
[plain] 
/var/ossec/etc/ossec.conf   
and add below block in.
[html] 
<localfile>  
  <log_format>syslog</log_format>  
  <location>/var/log/my_app.log</location>  
</localfile>  
 
Create a custom decoder
OSSEC uses decoders to parse log files. After it finds the proper decoder for a log, it will parse out fields defined in /var/ossec/etc/decoders.xml, then compare these values to values in rule files - and will trigger an alert when values in the deciphered log file match values specified in rule files.
 
Decoders exist on the servers, not the agents. Custom decoder should be added to /var/ossec/etc/local_decoders.xml on the server.
The log I want to trigger an alert for looks something like this:
 
[html] 
2010-09-25 15:28:42 [node-test]IP:[email protected]  
2010-09-25 15:28:52 [node-test]IP:[email protected]  
2010-09-25 15:29:52 [node-test]IP:[email protected]  
2010-09-25 15:39:52 [node-info]IP:[email protected]  
2010-09-27 16:39:52 [node-info]IP:[email protected]  
 
Open up /var/ossec/etc/local_decoder.xml (you can also use decoder.xml, which already exists, but using local_decoder.xml will assure that you don’t overwrite it on upgrade). First, we want to create a decoder that will match the first part of the log entry. We’ll use the date and first few characters to grab it using a regular expression.
 
The decoder file like below:
[html] 
<decoder name="nodeerror">  
        <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d [node-test]</prematch>  
</decoder>  
  
<decoder name="nodeerror-alert">  
  <parent>nodeerror</parent>  
  <regex offset="after_parent">IP:(\d+.\d+.\d+.\d+)@(\w+)</regex>  
  <order>url,action</order>  
</decoder>  
 
 
Save your local_decoder.xml and let’s run the log file through ossec-logtest.
 
[plain] 
#/var/ossec/bin/ossec-logtest  
[html] 
2010-09-25 15:28:42 [node-test]IP:[email protected]  
  
  
**Phase 1: Completed pre-decoding.  
       full event: '2010-09-25 15:28:42 [node-test]IP:[email protected]'  
       hostname: 'pms-srv01'  
       program_name: '(null)'  
       log: '2010-09-25 15:28:42 [node-test]IP:[email protected]'  
  
**Phase 2: Completed decoding.  
       decoder: 'nodeerror'  
       url: '192.1.1.1'  
       action: 'reboot'  
  
**Phase 3: Completed filtering (rules).  
       Rule id: '700006'  
       Level: '8'  
       Description: 'reboot happens!'  
**Alert to be generated.  
 
Looks good! It found our decoder and extracted the fields the way we want ‘em. Now, we’re ready to write local rules.
 
 
Write custom rules
 
Open /var/ossec/rules/local_rules.xml, and add below in.
[html] 
<rule id="700005" level="0">  
    <decoded_as>nodeerror</decoded_as>  
    <description>Custom node Alert</description>  
</rule>  
<!-- Alert -->  
<rule id="700006" level="8">  
    <if_sid>700005</if_sid>  
    <action>reboot</action>  
    <options>alert_by_email</options>  
    <description>reboot happens!</description>  
</rule>  
 
Save your local_rules.xml file, Now, we are ready to restart OSSEC and check alert.
 
分享到: 更多
蓝客门户
©2001-2019 中国蓝客联盟 版权所有.
关于蓝客联盟历史宗旨章程技术服务联系我们蓝客社区

安徽快3今天开奖号
腾讯分分彩全天计划4288 pk10 34567梭哈玩法 竞猜赚钱 极速pk10不亏钱的玩法 双色球拖胆怎么玩 双色球胆拖投注金额速查表 时时彩8码推波倍投表 腾讯分分彩算胆法 11选5如何稳赚 福彩3d六码复式组六多少钱