<https://lh3.googleusercontent.com/-n47to6eHiT8/WSrf3ePZq2I/AAAAAAAAAAM/oDmoGiNxQCMbTKeSY_ZXpouAclLZBSoIACLcB/s1600/ossec-logtest%2Bresult.JPG>
Hi Guys!
I'm making a decoder for problems with vpn phase_2 for the fortigate.
Sample log:
date=2017-05-20 time=07:31:20 devname=Fw1-sa-dc2d-g56
devid=FGT60D0000000000 logid=01016745858 type=event subtype=vpn
level=notice vd=root logdesc="IPsec phase 2 status changed" msg="IPsec
phase 2 status change" action=phase2-down remip=1.1.1.1 locip=2.2.2.2
remport=500 locport=500 outintf="wan2"
cookies="dfaf555664477957/b55566998873c6f9" user="N/A" group="N/A"
xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="VPN_XPTO"
phase2_name=VPN_XPTO
Decoder parent:
<Decoder name = "fortigate-firewall-v5">
<Divatch> date = \ S + time = \. + Devname = \ S + devid = FG \ w +
logid = \ d +
<Type> syslog </ type>
</ Decoder>
My decoder:
<Decoder name = "fortigate-firewall-v5-event-vpn-fields4">
<Parent> fortigate-firewall-v5 </ parent>
</ Div> </ div> </ div> </ div> </ div> <div class =
<Regex> logdesc = "\. +" Msg = "(\. +)" Action = (\. *) Remip = (\ S +)
locip = </ Regex>
<Order> extra_data, action, dstip, srcip, status </ order>
</ Decoder>
In the image with the test done with the logtest, does not show data
extra_data, action, dstip, srcip, status.
I wonder what's wrong with my decoder.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
