Hi All,
Gone through a few threads about decoders for IIS. I'm just getting started
and, so far, have only managed easy stuff. I'm trying to extract the fields
mentioned in decoder from the log entry using the decoder below, but the
logtester still give the result below. What am I missing this time :)
FULL LOG ENTRY:
2016-02-02 08:45:31 10.32.10.14 GET /images/logo2.png - 80 - 10.32.5.145
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0)
200 0 0 15
LOGTEST RESULTS:
**Phase 1: Completed pre-decoding.
full event: '2016-02-02 08:45:31 10.46.10.101 GET /images/logo2.png
- 80 - 10.46.5.145
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0)
200 0 0 15'
hostname: 'sto-lab99'
program_name: '(null)'
log: '2016-02-02 08:45:31 10.46.10.101 GET /images/logo2.png - 80 -
10.46.5.145
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0)
200 0 0 15'
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
DECODER:
<decoder name="web-accesslog-iis">
<parent>windows-date-format</parent>
<type>web-log</type>
<use_own_name>true</use_own_name>
<regex offset="after_parent">^\d+-\d+-\d+ \d+:\d+:\d+ (\S+) (\S+) -
(\S+) - (\d+.\d+.\d+.\d+) </regex>
<order>srcip, action, url, srcip, dstport</order>
</decoder>
Best,
Fredrik
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
