我们来自五湖四海,不为别的,只因有共同的爱好,为中国互联网发展出一分力!

OSSEC Monitor your App log file

2013年08月22日16:52 阅读: 20912 次
OSSEC Monitor your App log file
?
OSSEC monitors system logs with build-in support, and does a good job. Don't forget OSSEC is also can monitor the custom log file like our app's log. You have to create your own decoder and rule for that.
?
Add the log file you want to monitor to ossec.conf
?
Open up?
?
[plain]?
/var/ossec/etc/ossec.conf ??
and add below block in.
[html]?
?
? syslog ?
? /var/log/my_app.log ?
?
?
Create a custom decoder
OSSEC uses decoders to parse log files. After it finds the proper decoder for a log, it will parse out fields defined in /var/ossec/etc/decoders.xml, then compare these values to values in rule files - and will trigger an alert when values in the deciphered log file match values specified in rule files.
?
Decoders exist on the servers, not the agents. Custom decoder should be added to /var/ossec/etc/local_decoders.xml on the server.
The log I want to trigger an alert for looks something like this:
?
[html]?
2010-09-25 15:28:42 [node-test]IP:192.1.1.1@reboot. ?
2010-09-25 15:28:52 [node-test]IP:192.1.1.1@reboot. ?
2010-09-25 15:29:52 [node-test]IP:192.1.1.1@reboot. ?
2010-09-25 15:39:52 [node-info]IP:192.1.1.1@reboot. ?
2010-09-27 16:39:52 [node-info]IP:192.1.1.1@reboot. ?
?
Open up /var/ossec/etc/local_decoder.xml (you can also use decoder.xml, which already exists, but using local_decoder.xml will assure that you don’t overwrite it on upgrade). First, we want to create a decoder that will match the first part of the log entry. We’ll use the date and first few characters to grab it using a regular expression.
?
The decoder file like below:
[html]?
?
? ? ? ? ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d [node-test] ?
?
??
?
? nodeerror ?
? IP:(\d+.\d+.\d+.\d+)@(\w+) ?
? url,action ?
?
?
?
Save your local_decoder.xml and let’s run the log file through ossec-logtest.
?
[plain]?
#/var/ossec/bin/ossec-logtest ?
[html]?
2010-09-25 15:28:42 [node-test]IP:192.1.1.1@reboot. ?
??
??
**Phase 1: Completed pre-decoding. ?
? ? ? ?full event: '2010-09-25 15:28:42 [node-test]IP:192.1.1.1@reboot.' ?
? ? ? ?hostname: 'pms-srv01' ?
? ? ? ?program_name: '(null)' ?
? ? ? ?log: '2010-09-25 15:28:42 [node-test]IP:192.1.1.1@reboot.' ?
??
**Phase 2: Completed decoding. ?
? ? ? ?decoder: 'nodeerror' ?
? ? ? ?url: '192.1.1.1' ?
? ? ? ?action: 'reboot' ?
??
**Phase 3: Completed filtering (rules). ?
? ? ? ?Rule id: '700006' ?
? ? ? ?Level: '8' ?
? ? ? ?Description: 'reboot happens!' ?
**Alert to be generated. ?
?
Looks good! It found our decoder and extracted the fields the way we want ‘em. Now, we’re ready to write local rules.
?
?
Write custom rules
?
Open /var/ossec/rules/local_rules.xml, and add below in.
[html]?
?
? ? nodeerror ?
? ? Custom node Alert ?
?
?
?
? ? 700005 ?
? ? reboot ?
? ? alert_by_email ?
? ? reboot happens! ?
?
?
Save your local_rules.xml file, Now, we are ready to restart OSSEC and check alert.
?
分享到: 更多
蓝客门户