Write your own decode for the ossec Series

The reason why OSSEC generates an alarm is that after the information is captured, the DECODE decodes the information and then matches the rule.

Writing DECODE will be of great help to OSSEC. Here we will use OSSEC's test command ossec-logtest.

Write a simple rule here. In case of lion_00, an alarm message with the ALERTID severity of 8888 and 7 is generated.

First, create a rule and create a testrule. xml file under/var/ossec/rule as follows:

// Each group of rule must have a group

Lion // use a decode called lion

Testrule // generated alarm information

DECODE needs to be written in/var/ossec/etc/decoder. xml (default installation directory)

// Here is the non-standard comment. The decoder name mentioned above lion

^ Lion_00 // If the Matching content is advanced DECODER, there will be many parameters

It should be noted that it is best to place your decode in a slightly closer position to the file.

At this time, enter/var/ossec/bin/ossec-logtest and you will see

** Phase 1: Completed pre-decoding.

Full event: 'lion _ 00 ′

Hostname: 'idc2103 ′

Program_name: '(null )'

Log: 'on' _ 00 ′

** Phase 2: Completed decoding.

Decoder: 'lion'

** Phase 3: Completed filtering (rules ).

Rule id: '000000 ′

Level: '7 ′

Description: 'strule'

** Alert to be generated.