Thanks Dan! I obviously didn't realize that this was the case :( This means that I should create a regex that take the missing entry part into account and hence matches: Jan 27 9:32:28 st4600fw01n1 not the full string I was aiming for? This would then explain the, from my point of view, somewhat erratic behavior where things matched that I believed wouldn't ;)
Best, Fredrik On Wednesday, January 27, 2016 at 4:09:38 PM UTC+1, dan (ddpbsd) wrote: > > > On Jan 27, 2016 10:06 AM, "Fredrik" <fredri...@gmail.com <javascript:>> > wrote: > > > > HI All, > > > > > > Been working on a regex to match highlighted part of the (event) string > below: > > > > Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow <eth1 mail > src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: ******; > app_desc: ******; app_id: 10063753; app_category: ******; matched_category: > ******; app_properties: ******; app_risk: ******; app_rule_id: ******; > app_rule_name: ******; web_client_type: Chrome; web_server_type: > Microsoft-IIS; app_sig_id: 10063753:5; resource: > http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: > Application Control; service: http; s_port: 58579; product_family: Network; > > > > ... but I just can't get it to match the string I'm hoping to catch. I > have tried different additions to the regex below, please note that it is > not complete as I have not got past this point without failure - yet ;) I > would like to match Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 > > > > <prematch>^\w+ \d+ \d+:\d+:\d+ \w+\.\w+\.\w+\.\w+ \w+ \D+</prematch> > > > > I'm sure I'm missing something obvious, any hints would be greatly > appreciated. One example of a string that won't work is (I have included > ossec_logtest output for for reference: > > > > <prematch>^\w+ \d+ \d+:\d+:\d+ \w+\.\w+\.\w+\.\w+ \w+ \d+:\d+:\d+ > st4600fw01n/d*</prematch> > > > > admin@lab-host99:/var/ossec/bin# ./ossec-logtest > > 2016/01/27 14:13:53 ossec-testrule: INFO: Reading local decoder file. > > 2016/01/27 14:13:53 ossec-testrule: INFO: Started (pid: 22710). > > ossec-testrule: Type one log per line. > > > > Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow <eth1 mail > src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: ******; > app_desc: ******; app_id: 10063753; app_category: ******; matched_category: > ******; app_properties: ******; app_risk: ******; app_rule_id: ******; > app_rule_name: ******; web_client_type: Chrome; web_server_type: > Microsoft-IIS; app_sig_id: 10063753:5; resource: > http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: > Application Control; service: http; s_port: 58579; product_family: Network; > > > > > > **Phase 1: Completed pre-decoding. > > full event: 'Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 > st4600fw01n1 allow <eth1 mail src: 192.168.1.15; dst: 89.208.212.2; proto: > tcp; appi_name: ******; app_desc: ******; app_id: 10063753; app_category: > ******; matched_category: ******; app_properties: ******; app_risk: ******; > app_rule_id: ******; app_rule_name: ******; web_client_type: Chrome; > web_server_type: Microsoft-IIS; app_sig_id: 10063753:5; resource: > http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: > Application Control; service: http; s_port: 58579; product_family: Network;' > > hostname: '127.0.0.1' > > program_name: '(null)' > > log: 'Jan 27 9:32:28 st4600fw01n1 allow <eth1 mail src: > 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: ******; app_desc: > ******; app_id: 10063753; app_category: ******; matched_category: ******; > app_properties: ******; app_risk: ******; app_rule_id: ******; > app_rule_name: ******; web_client_type: Chrome; web_server_type: > Microsoft-IIS; app_sig_id: 10063753:5; resource: > http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: > Application Control; service: http; s_port: 58579; product_family: Network;' > > > > Notice that in the "log:" entry part of what you highlighted has been > removed. It's a transport header, and ossec generally tries to remove those > from processing. > > > **Phase 2: Completed decoding. > > No decoder matched. > > > > > > Best, > > Fredrik > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
