On Mon, Aug 22, 2016 at 7:46 AM, Azirako Lotr <[email protected]> wrote:
> Hi All,
>
> Need your help.
> I have created teh decoder for xferlog of vsftpd.
> <!--
> Mon Aug 22 11:38:14 2016 1 192.168.1.1 16384 /home/user/book.pdf b _ i r
> someuser ftp 0 * c
> -->
> <decoder name="xferlog">
> <program_name>^xferlog</program_name>
> <prematch>^\w\w\w \w\w\w\s+\d+\s+\S+\s+\d+\s\d \d+.\d+.\d+.\d+ \d+\s|\s\d
> \d+.\d+.\d+.\d+ \d+\s</prematch>
> </decoder>
> <decoder name="xferlog_default">
> <parent>xferlog</parent>
> <regex
> offset="after_parent">(\S+)\s\S\s_\s\S\s\S\s(\S+)\s(\S+)\s\d\s\S\s\S$</regex>
> <order>srcip,action,user</order>
> </decoder>
>
>
> When I test it with ossec-logtest results are empty:
>
> /var/ossec/bin/ossec-logtest
>
> ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/xferlog_decoders.xml.
>
>
> ossec-testrule: Type one log per line.
>
> Mon Aug 22 11:38:14 2016 1 192.168.1.1 16384 /home/user/book.pdf b _ i r
> someuser ftp 0 * c
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'Mon Aug 22 11:38:14 2016 1 192.168.1.1 16384
> /home/user/book.pdf b _ i r someuser ftp 0 * c'
> hostname: 'frossec01'
> program_name: '(null)'
Your decoder is looking for <program_name>^xferlog</program_name>,
which never appears in this log message.
There really isn't a whole lot in this log message to differentiate it
from any other log message.
I'm sure this isn't perfect, but it works for me:
<decoder name="xferlog">
<prematch>^ \d+ \S+ \d+ \.+ b _ i r \S+ ftp \d+</prematch>
<regex>^ \d+ (\S+) \d+ (\.+) \S+ _ \S+ \S+ (\S+) ftp </regex>
<order>srcip, url, user</order>
</decoder>
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'Mon Aug 22 11:38:14 2016 1 192.168.1.1 16384
/home/user/book.pdf b _ i r someuser ftp 0 * c'
hostname: 'ix'
program_name: '(null)'
log: ' 1 192.168.1.1 16384 /home/user/book.pdf b _ i r someuser
ftp 0 * c'
**Phase 2: Completed decoding.
decoder: 'xferlog'
srcip: '192.168.1.1'
url: '/home/user/book.pdf'
dstuser: 'someuser'
> log: ' 1 192.168.1.1 16384 /home/user/book.pdf b _ i r someuser ftp 0
> * c'
>
> **Phase 2: Completed decoding.
> No decoder matched.
>
> What is wrong in my decoder?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
