HI All,
Been working on a regex to match highlighted part of the (event) string below: *Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 *allow <eth1 mail src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: ******; app_desc: ******; app_id: 10063753; app_category: ******; matched_category: ******; app_properties: ******; app_risk: ******; app_rule_id: ******; app_rule_name: ******; web_client_type: Chrome; web_server_type: Microsoft-IIS; app_sig_id: 10063753:5; resource: http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: Application Control; service: http; s_port: 58579; product_family: Network; ... but I just can't get it to match the string I'm hoping to catch. I have tried different additions to the regex below, please note that it is not complete as I have not got past this point without failure - yet ;) I would like to match Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 <prematch>^\w+ \d+ \d+:\d+:\d+ \w+\.\w+\.\w+\.\w+ \w+ \D+</prematch> I'm sure I'm missing something obvious, any hints would be greatly appreciated. One example of a string that won't work is (I have included ossec_logtest output for for reference: <prematch>^\w+ \d+ \d+:\d+:\d+ \w+\.\w+\.\w+\.\w+ \w+ \d+:\d+:\d+ st4600fw01n/d*</prematch> admin@lab-host99:/var/ossec/bin# ./ossec-logtest 2016/01/27 14:13:53 ossec-testrule: INFO: Reading local decoder file. 2016/01/27 14:13:53 ossec-testrule: INFO: Started (pid: 22710). ossec-testrule: Type one log per line. Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow <eth1 mail src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: ******; app_desc: ******; app_id: 10063753; app_category: ******; matched_category: ******; app_properties: ******; app_risk: ******; app_rule_id: ******; app_rule_name: ******; web_client_type: Chrome; web_server_type: Microsoft-IIS; app_sig_id: 10063753:5; resource: http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: Application Control; service: http; s_port: 58579; product_family: Network; **Phase 1: Completed pre-decoding. full event: 'Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow <eth1 mail src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: ******; app_desc: ******; app_id: 10063753; app_category: ******; matched_category: ******; app_properties: ******; app_risk: ******; app_rule_id: ******; app_rule_name: ******; web_client_type: Chrome; web_server_type: Microsoft-IIS; app_sig_id: 10063753:5; resource: http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: Application Control; service: http; s_port: 58579; product_family: Network;' hostname: '127.0.0.1' program_name: '(null)' log: 'Jan 27 9:32:28 st4600fw01n1 allow <eth1 mail src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: ******; app_desc: ******; app_id: 10063753; app_category: ******; matched_category: ******; app_properties: ******; app_risk: ******; app_rule_id: ******; app_rule_name: ******; web_client_type: Chrome; web_server_type: Microsoft-IIS; app_sig_id: 10063753:5; resource: http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: Application Control; service: http; s_port: 58579; product_family: Network;' **Phase 2: Completed decoding. No decoder matched. Best, Fredrik -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
