Hi,
this could be a good starting point:
<!-- teamviewer -->
<decoder name="teamviewer">
<prematch>^\d+\t+\.+\d\d-\d\d-\d\d\d\d </prematch>
</decoder>
<!--
151856824 01-06-2016 19:30:36 01-06-2016 20:00:44 user RemoteControl
{38164985-5201-4BFE-BF6E-32F2E770954E}
151856824 02-06-2016 18:29:32 02-06-2016 18:47:33 user RemoteControl
{22D28696-95C0-4AF8-9EBE-440580B85D65}
-->
<decoder name="teamviewer-fields2">
<parent>teamviewer</parent>
<prematch>^\d+\t\t</prematch>
<regex>^\d+\t+\s*(\.+)\t+(\.+)\t+(\.+)\t+RemoteControl\t+{(\.+)}</regex>
<order>extra_data,status,srcuser,id</order>
</decoder>
<!--
673915615 Support Team 20-05-2016 19:37:51 20-05-2016 20:04:29 user
RemoteControl {811FB7EC-E1EB-470A-B5EE-01E7290B7FDF}
172856590 PCMust 16-08-2016 15:15:21 16-08-2016 15:22:54 user RemoteControl
{934B2BDF-DB82-4113-9C60-9250A6E47A7A}
891956027 Afterworld 18-08-2016 18:13:27 18-08-2016 18:26:37 user
RemoteControl {E4555287-A198-4D54-8851-67C2DF8EA5DD}
-->
<decoder name="teamviewer-fields1">
<parent>teamviewer</parent>
<prematch>^\d+\t</prematch>
<regex>^\d+\t+(\.+)\t+(\.+)\t+(\.+)\t+(\.+)\t+RemoteControl\t+{(\S+)}
</regex>
<order>url,extra_data,status,srcuser,id</order>
</decoder>
Output 1:
151856824 01-06-2016 19:30:36 01-06-2016 20:00:44
user RemoteControl {38164985-5201-4BFE-BF6E-32F2E770954E}
...
**Phase 2: Completed decoding.
decoder: 'teamviewer'
extra_data: '01-06-2016 19:30:36'
status: '01-06-2016 20:00:44'
srcuser: 'user'
id: '38164985-5201-4BFE-BF6E-32F2E770954E}'
Output 2:
891956027 Afterworld 18-08-2016 18:13:27 18-08-2016 18:26:37
user RemoteControl {E4555287-A198-4D54-8851-67C2DF8EA5DD}
...
**Phase 2: Completed decoding.
decoder: 'teamviewer'
url: 'Afterworld'
extra_data: '18-08-2016 18:13:27'
status: '18-08-2016 18:26:37'
srcuser: 'user'
id: 'E4555287-A198-4D54-8851-67C2DF8EA5DD}'
If you create more decoders/rules for teamviewer, please share them here.
Regards.
On Wednesday, October 12, 2016 at 1:41:56 AM UTC+2, Jacob Mcgrath wrote:
>
> I am looking at logging on a windows agent Teamviewer logs. The issue is
> the irregular output like soo.
>
> 673915615 Support Team 20-05-2016 19:37:51 20-05-2016 20:04:29
> user RemoteControl {811FB7EC-E1EB-470A-B5EE-01E7290B7FDF}
> 151856824 01-06-2016 19:30:36 01-06-2016 20:00:44 user
> RemoteControl {38164985-5201-4BFE-BF6E-32F2E770954E}
> 151856824 02-06-2016 18:29:32 02-06-2016 18:47:33 user
> RemoteControl {22D28696-95C0-4AF8-9EBE-440580B85D65}
> 172856590 PCMust 16-08-2016 15:15:21 16-08-2016 15:22:54 user
> RemoteControl {934B2BDF-DB82-4113-9C60-9250A6E47A7A}
> 891956027 Afterworld 18-08-2016 18:13:27 18-08-2016 18:26:37
> user RemoteControl {E4555287-A198-4D54-8851-67C2DF8EA5DD}
>
>
> How would one go about regexing this type of output?
>
>
> The stuff in blue would be the required data to pass to rulesets
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
