OSSEC alerting for cron-apt

[garrettr]

cron-apt's log output does not have a dedicated OSSEC decoder. As a result, cron-apt errors are only caught if they (luckily) match a set of simple heuristics (such as the word "error" being present in a log line).

For example, this cron-apt log results in one error reported:

root@mon-staging:/var/ossec/bin# ./ossec-logtest -a < /home/vagrant/log 
2015/01/28 22:07:46 ossec-testrule: INFO: Reading local decoder file.
2015/01/28 22:07:46 ossec-testrule: INFO: Started (pid: 3450).
** Alert 1422482866.1: mail  - syslog,errors,
2015 Jan 28 22:07:46 mon-staging->stdin
Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
W: GPG error: http://104.236.171.240 trusty Release: The following signatures were invalid: BADSIG B0898FE83F3BF9EB Freedom of the Press Foundation Test Signing Key

It would be good to test potential failure conditions for cron-apt and develop custom OSSEC rules for reporting on them.

[dolanjs]

OSSEC doesn't have a built in decoder for cron-apt log entries. Cron-apt uses variable rate multi-line log entries and does not follow the syslog format. (syslog format would prepend date,process, event id for each line).

None of the OSSEC canned log file formats support the cron-apt format. So a decoder can't be written for them easily.

[dolanjs]

This was fixed in pr #859 and can be closed.