[ossec-list] Reporting all actions that comes from firewall logs

[C. L. Martinez]

Hi all,

 I am trying to report all actions made by some CheckPoint Firewall's.
After adjust my decoder, I am trying to write some rules to match all
logged firewall actions like: Drop, Accept, Session Auth, etc...

 For example to report all drops, I have write this rule:

<group name="cpfirewall,">
  <rule id="100100" level="0">
    <description>CheckPoint Firewall-1 rules grouped.</description>
  </rule>
  <rule id="100101" level="5">
    <if_sid>100100</if_sid>
    <action>Drop</action>
    <description>CheckPoint Firewall-1 drop action event.</description>
    <group>cpfirewall,drop,</group>
  </rule>
</group>

Testing one rule:

**Phase 1: Completed pre-decoding.
       full event: '"294" "28Feb2012" "23:59:14" "Lan2" "CHCKPNT1"
"Log" "Drop" "nbname" "nbname" "192.168.1.5" "192.168.1.255" "udp" ""
"" "" "" "message_info: Address spoofing" "VPN-1 Power/UTM" "" ""'
       hostname: 'cosclunode02'
       program_name: '(null)'
       log: '"294" "28Feb2012" "23:59:14" "Lan2" "FW-INT-CHCKPNT1"
"Log" "Drop" "nbname" "nbname" "192.168.1.5" "192.168.1.255" "udp" ""
"" "" "" "message_info: Address spoofing" "VPN-1 Power/UTM" "" ""'

**Phase 2: Completed decoding.
       decoder: 'custom-checkpoint-fw'
       action: 'Drop'
       srcip: '192.168.1.5'
       dstip: '192.168.1.255'
       proto: 'udp'
       extra_data: 'message_info: Address spoofing'

**Phase 3: Completed filtering (rules).
       Rule id: '100100'
       Level: '0'
       Description: 'CheckPoint Firewall-1 rules grouped.'

After this, I have run ossec-reportd test:

[root@ossecsrv rules]# cat /data/config/logs/cp.logs |
/data/ossec/slave/bin/ossec-reportd -f level 5
2012/03/05 09:11:08 ossec-reportd: INFO: Started (pid: 25097).
2012/03/05 09:11:15 ossec-reportd: INFO: Report completed and zero
alerts post-filter

 ... and:

[root@ossecsrv rules]# cat /data/config/logs/cp.logs |
/data/ossec/slave/bin/ossec-reportd -f group cpfirewall
2012/03/05 09:12:10 ossec-reportd: INFO: Started (pid: 25097).
2012/03/05 09:12:50 ossec-reportd: INFO: Report completed and zero
alerts post-filter

 ... and

[root@ossecsrv rules]# cat /data/config/logs/cp.logs |
/data/ossec/slave/bin/ossec-reportd -f group cpfirewall_drop
2012/03/05 09:13:45 ossec-reportd: INFO: Started (pid: 25097).
2012/03/05 09:14:10 ossec-reportd: INFO: Report completed and zero
alerts post-filter

 ... but it doesn't works ... What am I doing wrong??