你好,欢迎来到电脑编程技巧与维护杂志社! 杂志社简介广告服务读者反馈编程社区  
合订本订阅
 
 
您的位置:技术专栏 / Linux开发
OSSEC Monitor your App log file
 
OSSEC Monitor your App log file
 
OSSEC monitors system logs with build-in support, and does a good job. Don't forget OSSEC is also can monitor the custom log file like our app's log. You have to create your own decoder and rule for that.
 
Add the log file you want to monitor to ossec.conf
 
Open up 
 
[plain] 
/var/ossec/etc/ossec.conf   
and add below block in.
[html
<localfile>  
  <log_format>syslog</log_format>  
  <location>/var/log/my_app.log</location>  
</localfile>  
 
Create a custom decoder
OSSEC uses decoders to parse log files. After it finds the proper decoder for a log, it will parse out fields defined in /var/ossec/etc/decoders.xml, then compare these values to values in rule files - and will trigger an alert when values in the deciphered log file match values specified in rule files.
 
Decoders exist on the servers, not the agents. Custom decoder should be added to /var/ossec/etc/local_decoders.xml on the server.
The log I want to trigger an alert for looks something like this:
 
[html] 
2010-09-25 15:28:42 [node-test]IP:192.1.1.1@reboot.  
2010-09-25 15:28:52 [node-test]IP:192.1.1.1@reboot.  
2010-09-25 15:29:52 [node-test]IP:192.1.1.1@reboot.  
2010-09-25 15:39:52 [node-info]IP:192.1.1.1@reboot.  
2010-09-27 16:39:52 [node-info]IP:192.1.1.1@reboot.  
 
Open up /var/ossec/etc/local_decoder.xml (you can also use decoder.xml, which already exists, but using local_decoder.xml will assure that you don’t overwrite it on upgrade). First, we want to create a decoder that will match the first part of the log entry. We’ll use the date and first few characters to grab it using a regular expression.
 
The decoder file like below:
[html] 
<decoder name="nodeerror">  
        <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d [node-test]</prematch>  
</decoder>  
  
<decoder name="nodeerror-alert">  
  <parent>nodeerror</parent>  
  <regex offset="after_parent">IP:(\d+.\d+.\d+.\d+)@(\w+)</regex>  
  <order>url,action</order>  
</decoder>  
 
 
Save your local_decoder.xml and let’s run the log file through ossec-logtest.
 
[plain] 
#/var/ossec/bin/ossec-logtest  
[html] 
2010-09-25 15:28:42 [node-test]IP:192.1.1.1@reboot.  
  
  
**Phase 1: Completed pre-decoding.  
       full event: '2010-09-25 15:28:42 [node-test]IP:192.1.1.1@reboot.'  
       hostname: 'pms-srv01'  
       program_name: '(null)'  
       log: '2010-09-25 15:28:42 [node-test]IP:192.1.1.1@reboot.'  
  
**Phase 2: Completed decoding.  
       decoder: 'nodeerror'  
       url: '192.1.1.1'  
       action: 'reboot'  
  
**Phase 3: Completed filtering (rules).  
       Rule id: '700006'  
       Level: '8'  
       Description: 'reboot happens!'  
**Alert to be generated.  
 
Looks good! It found our decoder and extracted the fields the way we want ‘em. Now, we’re ready to write local rules.
 
 
Write custom rules
 
Open /var/ossec/rules/local_rules.xml, and add below in.
[html] 
<rule id="700005" level="0">  
    <decoded_as>nodeerror</decoded_as>  
    <description>Custom node Alert</description>  
</rule>  
<!-- Alert -->  
<rule id="700006" level="8">  
    <if_sid>700005</if_sid>  
    <action>reboot</action>  
    <options>alert_by_email</options>  
    <description>reboot happens!</description>  
</rule>  
 
Save your local_rules.xml file, Now, we are ready to restart OSSEC and check alert.
  推荐精品文章

·2024年12月目录 
·2024年11月目录 
·2024年10月目录 
·2024年9月目录 
·2024年8月目录 
·2024年7月目录 
·2024年6月目录 
·2024年5月目录 
·2024年4月目录 
·2024年3月目录 
·2024年2月目录 
·2024年1月目录
·2023年12月目录
·2023年11月目录

  联系方式
TEL:010-82561037
Fax: 010-82561614
QQ: 100164630
Mail:gaojian@comprg.com.cn

  友情链接
 
Copyright 2001-2010, www.comprg.com.cn, All Rights Reserved
京ICP备14022230号-1,电话/传真:010-82561037 82561614 ,Mail:gaojian@comprg.com.cn
地址:北京市海淀区远大路20号宝蓝大厦E座704,邮编:100089