Hi, this could be a good starting point: <!-- teamviewer --> <decoder name="teamviewer"> <prematch>^\d+\t+\.+\d\d-\d\d-\d\d\d\d </prematch> </decoder>
<!-- 151856824 01-06-2016 19:30:36 01-06-2016 20:00:44 user RemoteControl {38164985-5201-4BFE-BF6E-32F2E770954E} 151856824 02-06-2016 18:29:32 02-06-2016 18:47:33 user RemoteControl {22D28696-95C0-4AF8-9EBE-440580B85D65} --> <decoder name="teamviewer-fields2"> <parent>teamviewer</parent> <prematch>^\d+\t\t</prematch> <regex>^\d+\t+\s*(\.+)\t+(\.+)\t+(\.+)\t+RemoteControl\t+{(\.+)}</regex> <order>extra_data,status,srcuser,id</order> </decoder> <!-- 673915615 Support Team 20-05-2016 19:37:51 20-05-2016 20:04:29 user RemoteControl {811FB7EC-E1EB-470A-B5EE-01E7290B7FDF} 172856590 PCMust 16-08-2016 15:15:21 16-08-2016 15:22:54 user RemoteControl {934B2BDF-DB82-4113-9C60-9250A6E47A7A} 891956027 Afterworld 18-08-2016 18:13:27 18-08-2016 18:26:37 user RemoteControl {E4555287-A198-4D54-8851-67C2DF8EA5DD} --> <decoder name="teamviewer-fields1"> <parent>teamviewer</parent> <prematch>^\d+\t</prematch> <regex>^\d+\t+(\.+)\t+(\.+)\t+(\.+)\t+(\.+)\t+RemoteControl\t+{(\S+)} </regex> <order>url,extra_data,status,srcuser,id</order> </decoder> Output 1: 151856824 01-06-2016 19:30:36 01-06-2016 20:00:44 user RemoteControl {38164985-5201-4BFE-BF6E-32F2E770954E} ... **Phase 2: Completed decoding. decoder: 'teamviewer' extra_data: '01-06-2016 19:30:36' status: '01-06-2016 20:00:44' srcuser: 'user' id: '38164985-5201-4BFE-BF6E-32F2E770954E}' Output 2: 891956027 Afterworld 18-08-2016 18:13:27 18-08-2016 18:26:37 user RemoteControl {E4555287-A198-4D54-8851-67C2DF8EA5DD} ... **Phase 2: Completed decoding. decoder: 'teamviewer' url: 'Afterworld' extra_data: '18-08-2016 18:13:27' status: '18-08-2016 18:26:37' srcuser: 'user' id: 'E4555287-A198-4D54-8851-67C2DF8EA5DD}' If you create more decoders/rules for teamviewer, please share them here. Regards. On Wednesday, October 12, 2016 at 1:41:56 AM UTC+2, Jacob Mcgrath wrote: > > I am looking at logging on a windows agent Teamviewer logs. The issue is > the irregular output like soo. > > 673915615 Support Team 20-05-2016 19:37:51 20-05-2016 20:04:29 > user RemoteControl {811FB7EC-E1EB-470A-B5EE-01E7290B7FDF} > 151856824 01-06-2016 19:30:36 01-06-2016 20:00:44 user > RemoteControl {38164985-5201-4BFE-BF6E-32F2E770954E} > 151856824 02-06-2016 18:29:32 02-06-2016 18:47:33 user > RemoteControl {22D28696-95C0-4AF8-9EBE-440580B85D65} > 172856590 PCMust 16-08-2016 15:15:21 16-08-2016 15:22:54 user > RemoteControl {934B2BDF-DB82-4113-9C60-9250A6E47A7A} > 891956027 Afterworld 18-08-2016 18:13:27 18-08-2016 18:26:37 > user RemoteControl {E4555287-A198-4D54-8851-67C2DF8EA5DD} > > > How would one go about regexing this type of output? > > > The stuff in blue would be the required data to pass to rulesets > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.