Nathan, I just played around with this in a VM. It appears the decoder wants a program name defined. The following worked for me:
<decoder name="swg"> <program_name></program_name> <prematch>M86 SWG Web Event</prematch> <regex offset="after_prematch"> - Action: (\w+);</regex> <order>action</order> </decoder> --Josh On Mon, Mar 3, 2014 at 3:57 PM, Nathaniel Bentzinger < nbentzin...@archer-group.com> wrote: > Just an update. When running this again today I still don't get the > decoding. Does it make a difference that this is coming in via syslog to > OSSEC? > > > > <!-- Mar 3 15:52:42 swg1 : M86 SWG Web Event - Action: Block; Block > reason: Access Denied! Access to this URL: <b> > https://upload.box.com/api/crossdomain.xml</b> is > forbidden.<br>Transaction ID is 5314EB970246050B9FDE.; Client IP: > 10.10.10.165; HTTPS Policy Name: Duplicate M86 HTTPS Policy; Site: > upload.box.com; Transaction ID: 5314EB970246050B9FDE; Transaction time: > 03/03/2014 15:52:39; URL: https://upload.box.com/api/crossdomain.xml; URL > Category: Web Based Storage; X-Ray: --> > > > > <decoder name="swg"> > > <prematch>M86 SWG Web Event</prematch> > > <regex offset="after_prematch"> - Action: (\w+);</regex> > > <order>action</order> > > </decoder> > > > > *From:* Nathaniel Bentzinger > *Sent:* Saturday, March 01, 2014 5:16 PM > *To:* ossec-list@googlegroups.com > *Subject:* RE: [ossec-list] Decoder assistance > > > > Hi Josh, > > > > I tried that too but when I test with the whole syslog event that comes in > (in my original message) it never decodes it. I'll triple check that the > syslog event from the SWG is in fact what I'm testing against. > > > > *From:* ossec-list@googlegroups.com > [mailto:ossec-list@googlegroups.com<ossec-list@googlegroups.com>] > *On Behalf Of *Joshua Garnett > *Sent:* Saturday, March 01, 2014 9:13 AM > *To:* ossec-list@googlegroups.com > *Subject:* Re: [ossec-list] Decoder assistance > > > > Correct me if I'm wrong, but I don't believe you need to setup the match > statements for the date and hostname. I think that should just become.. > > > > <decoder name="swg1"> > > <prematch>^M86 SWG Web Event</prematch> > > <regex offset="after_prematch"> - Action: (\w+);</regex> > > <order>action</order> > > </decoder> > > > > --Josh > > > > On Fri, Feb 28, 2014 at 9:47 PM, Nathaniel Bentzinger < > nbentzin...@archer-group.com> wrote: > > Hi, > > > > I'm trying to write up a decoder for the Secure Web Gateway device. I > believe I hit a snag but I am not able to figure out why. I'm hoping > someone else will spot the issue. I've dumbed down the decoder (stripping > IP,URL, and extra_data from it) and it still doesn't work as expected. > > > > <!-- Sample Event à > > <!-- Feb 28 15:08:35 swg1 : M86 SWG Web Event - Action: Block; Block > reason: ; Client IP: 10.10.10.10; HTTPS Policy Name: Duplicate M86 HTTPS > Policy; Site: box.com; Transaction ID: 5310ECBD95D1050BA3FC; Transaction > time: 02/28/2014 15:08:29; URL: http://box.com:443; URL Category: Web > Based Storage; X-Ray: --> > > > > <decoder name="swg1"> > > <prematch>\w+ \d+ \S+ \S+ : M86 SWG Web Event</prematch> > > <regex offset="after_prematch"> - Action: (\w+);</regex> > > <order>action</order> > > </decoder> > > > > Running this decoder never returns successful decode: > > [root@secserv ~]# /var/ossec/bin/ossec-logtest > > 2014/02/28 21:43:47 ossec-testrule: INFO: Reading local decoder file. > > 2014/02/28 21:43:47 ossec-testrule: INFO: Started (pid: 22685). > > ossec-testrule: Type one log per line. > > > > Feb 28 15:08:35 swg1 : M86 SWG Web Event - Action: Block; > > > > > > **Phase 1: Completed pre-decoding. > > full event: 'Feb 28 15:08:35 swg1 : M86 SWG Web Event - Action: > Block;' > > hostname: 'swg1' > > program_name: '' > > log: 'M86 SWG Web Event - Action: Block;' > > > > **Phase 2: Completed decoding. > > No decoder matched. > > > > Unless I strip the first \w+ and only put in '28 15:08:35 swg1 : M86 SWG > Web Event - Action: Block;' > > > > For that date prematch I have tried: > > \w\w\w \d\d \dd:\d\d:\d\d \S+ : > > \S+ \S+ \S+ \S+ : > > ^\w\w\w \d\d \dd:\d\d:\d\d \S+ : > > ^\S+ \S+ \S+ \S+ : > > \w+ \d+ \S+ \S+ : > > ^\w+ \d+ \S+ \S+ : > > > > And none work unless I strip out the first match (the month) then rerun > the test without the month value. None of the other local_decoders have > this syntax. I've even tried prematching on just SMG or M86 and it doesn't > return anything. Thowing these strings into ww.regexpal.com shows they > will match on what I need them to. > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.