Hello,
I am trying to set up a local_decoder.xml entry to decode our Clavister log
entries.
The clavister logfiles show only outgoing dropped traffic, for example:
Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] EFW: RULE: prio=6
id=06000051 rev=1 event=ruleset_drop_packet action=drop
rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14
destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511
ack=1 fin=1
I could not find an existing clavister decoder so I am trying to write my
own.
I tried something as follows :
<decoder name="clavister">
<prematch>^\w+ \d+ \S+ </prematch>
</decoder>
If I get it correct the ^ is beginning of the line,\w+ = Month, \d+ = day
of month, \S+=time , but its not working as expected, running logtest shows:
**Phase 1: Completed pre-decoding.
full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] EFW:
RULE: prio=6 id=06000051 rev=1 event=ruleset_drop_packet action=drop
rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14
destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511
ack=1 fin=1'
hostname: '10.170.80.3'
program_name: '(null)'
log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=06000051 rev=1
event=ruleset_drop_packet action=drop rule=d_all_any_to_external
recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP
ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1'
**Phase 2: Completed decoding.
No decoder matched.
It does not show the clavister field at Phase 2 which I would expect.
Can anyone point out what I am doing wrong even with this simpel <prematch>
example?
Thanks in advance.
Regards,
Michiel
