我们来自五湖四海,不为别的,只因有共同的爱好,为中国互联网发展出一分力!
北京pk10冠亚大2.3

北京赛车pk10冠亚技巧:OSSEC Monitor your App log file

2013年08月22日16:52 阅读: 17970 次
OSSEC Monitor your App log file
 
OSSEC monitors system logs with build-in support, and does a good job. Don't forget OSSEC is also can monitor the custom log file like our app's log. You have to create your own decoder and rule for that.
 
Add the log file you want to monitor to ossec.conf
 
Open up 
 
[plain] 
/var/ossec/etc/ossec.conf   
and add below block in.
[html] 
<localfile>  
  <log_format>syslog</log_format>  
  <location>/var/log/my_app.log</location>  
</localfile>  
 
Create a custom decoder
OSSEC uses decoders to parse log files. After it finds the proper decoder for a log, it will parse out fields defined in /var/ossec/etc/decoders.xml, then compare these values to values in rule files - and will trigger an alert when values in the deciphered log file match values specified in rule files.
 
Decoders exist on the servers, not the agents. Custom decoder should be added to /var/ossec/etc/local_decoders.xml on the server.
The log I want to trigger an alert for looks something like this:
 
[html] 
2010-09-25 15:28:42 [node-test]IP:192.1.1.1@reboot.  
2010-09-25 15:28:52 [node-test]IP:192.1.1.1@reboot.  
2010-09-25 15:29:52 [node-test]IP:192.1.1.1@reboot.  
2010-09-25 15:39:52 [node-info]IP:192.1.1.1@reboot.  
2010-09-27 16:39:52 [node-info]IP:192.1.1.1@reboot.  
 
Open up /var/ossec/etc/local_decoder.xml (you can also use decoder.xml, which already exists, but using local_decoder.xml will assure that you don’t overwrite it on upgrade). First, we want to create a decoder that will match the first part of the log entry. We’ll use the date and first few characters to grab it using a regular expression.
 
The decoder file like below:
[html] 
<decoder name="nodeerror">  
        <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d [node-test]</prematch>  
</decoder>  
  
<decoder name="nodeerror-alert">  
  <parent>nodeerror</parent>  
  <regex offset="after_parent">IP:(\d+.\d+.\d+.\d+)@(\w+)</regex>  
  <order>url,action</order>  
</decoder>  
 
 
Save your local_decoder.xml and let’s run the log file through ossec-logtest.
 
[plain] 
#/var/ossec/bin/ossec-logtest  
[html] 
2010-09-25 15:28:42 [node-test]IP:192.1.1.1@reboot.  
  
  
**Phase 1: Completed pre-decoding.  
       full event: '2010-09-25 15:28:42 [node-test]IP:192.1.1.1@reboot.'  
       hostname: 'pms-srv01'  
       program_name: '(null)'  
       log: '2010-09-25 15:28:42 [node-test]IP:192.1.1.1@reboot.'  
  
**Phase 2: Completed decoding.  
       decoder: 'nodeerror'  
       url: '192.1.1.1'  
       action: 'reboot'  
  
**Phase 3: Completed filtering (rules).  
       Rule id: '700006'  
       Level: '8'  
       Description: 'reboot happens!'  
**Alert to be generated.  
 
Looks good! It found our decoder and extracted the fields the way we want ‘em. Now, we’re ready to write local rules.
 
 
Write custom rules
 
Open /var/ossec/rules/local_rules.xml, and add below in.
[html] 
<rule id="700005" level="0">  
    <decoded_as>nodeerror</decoded_as>  
    <description>Custom node Alert</description>  
</rule>  
<!-- Alert -->  
<rule id="700006" level="8">  
    <if_sid>700005</if_sid>  
    <action>reboot</action>  
    <options>alert_by_email</options>  
    <description>reboot happens!</description>  
</rule>  
 
Save your local_rules.xml file, Now, we are ready to restart OSSEC and check alert.
 
分享到: 更多
蓝客门户
上海时时乐杀号规律 上海时时乐计划网站 北京pk10官网有龙虎吗 北京pk10猜冠军高准确 上海时时乐规则 北京pk10安卓版
北京pk10冠亚和遗漏 北京pk10冠亚和值口诀 北京pk10骗局全过程 pk10冠军选号方法 北京快乐8选2稳赚
北京赛车pk10冠亚技巧 北京赛车pk10冠亚和 北京pk10冠亚和对刷 北京赛车pk10冠亚技巧 北京赛车pk10冠亚技巧
北京pk10冠亚和遗漏 北京人口2016总人数 北京快乐8下大注包死 北京快乐8官网开奖结果 北京福利彩票pk10 北京快乐8预测网站
特色早点加盟店排行榜 全国连锁加盟 美式早餐加盟 早餐粥店加盟 北方早餐加盟
早餐类加盟 移动早点加盟 正宗早点加盟 北京早点小吃加盟店 品牌早餐加盟
北京早点小吃加盟店 早餐加盟开店 范征早餐加盟 河南早点加盟 江苏早餐加盟
早餐培训加盟 早点小吃加盟排行榜 油条早餐加盟 早餐 加盟 北京早点小吃加盟店
广西快乐十分公式 12选五开奖走势图辽宁 湖北11选5开奖记录 网购彩票 易博彩票
黑龙江快乐10分直播 北京赛车走势 河南快赢481app 江苏快三历史记录 彩8彩票下载
广东快乐十分技巧 云南11选5走势图 十一选五独胆公式 玩秒速时时彩的网站 重庆时时彩官网骗局
上海彩票中奖 宁夏11选5玩助手 分分彩平台 幸运88彩票网 福建22选5走势图带连线