Hi All,
Need your help.
I have created teh decoder for xferlog of vsftpd.
<!--
Mon Aug 22 11:38:14 2016 1 192.168.1.1 16384 /home/user/book.pdf b _ i r
someuser ftp 0 * c
-->
<decoder name="xferlog">
<program_name>^xferlog</program_name>
<prematch>^\w\w\w \w\w\w\s+\d+\s+\S+\s+\d+\s\d \d+.\d+.\d+.\d+ \d+\s|\s\d
\d+.\d+.\d+.\d+ \d+\s</prematch>
</decoder>
<decoder name="xferlog_default">
<parent>xferlog</parent>
<regex
offset="after_parent">(\S+)\s\S\s_\s\S\s\S\s(\S+)\s(\S+)\s\d\s\S\s\S$</regex>
<order>srcip,action,user</order>
</decoder>
When I test it with ossec-logtest results are empty:
*/var/ossec/bin/ossec-logtest*
* ossec-testrule: INFO: Reading decoder file
etc/ossec_decoders/xferlog_decoders.xml.*
ossec-testrule: Type one log per line.
Mon Aug 22 11:38:14 2016 1 192.168.1.1 16384 /home/user/book.pdf b _ i r
someuser ftp 0 * c
**Phase 1: Completed pre-decoding.
full event: 'Mon Aug 22 11:38:14 2016 1 192.168.1.1 16384
/home/user/book.pdf b _ i r someuser ftp 0 * c'
hostname: 'frossec01'
program_name: '(null)'
log: ' 1 192.168.1.1 16384 /home/user/book.pdf b _ i r someuser ftp
0 * c'
**Phase 2: Completed decoding.
No decoder matched.
What is wrong in my decoder?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
