[ossec-list] Custom decoder issue

[amine . elouissi]

Hello

I am testing and working on this beautiful tool, but i have a little 
decoding problem. Here it is :

My decoder is:
<*decoder* name="fakeinc_custom">
        <*prematch*>^\.+Fakeinc: </*prematch*>
        <*regex *offset="after_prematch">^service for: (\w+)@(\S+) \w+</
*regex*>
        <*order*>srcuser,srcip</*order*>
</*decoder*>

and my custom log is :
*Mar 26 10:56:36 small-VirtualBox small: Fakeinc: service for: 
toto@10.0.0.2 <toto@10.0.0.2> Failed*

why there is* no decoding* performed by Ossec? i was testing with 
ossec-logtest, and here is the test output :
------------------------------------------------------------
**Phase 1: Completed pre-decoding.
       full event: 'Mar 26 10:56:36 small-VirtualBox small: Fakeinc: 
service for: toto@10.0.0.2 Failed'
       hostname: 'small-VirtualBox'
       program_name: 'small'
       log: 'Fakeinc: service for: toto@10.0.0.2 Failed'

**Phase 2: Completed decoding.
       No decoder matched.
------------------------------------------------------------

i have also noticed that if i change my custom log by altering the time 
format like :
*Mar 26 10:56:3 small-VirtualBox small: Fakeinc: service for: toto@10.0.0.2 
<toto@10.0.0.2> Failed* (i just deleted '6' from '36' seconds)

==> it matches and it is decoding *almost *as expected. And here is the 
output:
------------------------------------------------------------
**Phase 1: Completed pre-decoding.
       full event: 'Mar 26 10:56:3 small-VirtualBox small: Fakeinc: service 
for: toto@10.0.0.2 Failed'
       hostname: 'small-VirtualBox'
       program_name: '(null)'
       log: 'Mar 26 10:56:3 small-VirtualBox small: Fakeinc: service for: 
toto@10.0.0.2 Failed'

**Phase 2: Completed decoding.
       decoder: 'fakeinc_custom'
       srcuser: 'toto'
       srcip: '10.0.0.2'
------------------------------------------------------------
why is that ? is that a bug or did i miss something about decoding or 
pre-decoding ? i hope it is not a bug :)


Thanks

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.