Hi everyone! I wondering if we already have on ossec a custom decoder acording to this kind of log to get the red values.
1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO, SECURITY, diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI <http://pivotlnx.prod.pci.epagos.antel.com.uy/ssh/CLI>, ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info: Successful login attempt via REMOTE, IP Addr: pivonox.prod.pci.elan.red.com.uy. I tried to do a custom one, but without success. I let you here what ive did. This one is getting the "1022 Audit" for discriminate the one i need to the rest. <decoder name="Brocade-format"> <prematch>^\d+\s\w\w\w\w</prematch> </decoder> . And here is when im trying to get the underlined red values at the begining of the text but im not sure: -The type of the log i have to use or if it is necesary -The "order" value i have tho use to take this both red values. -The structure of the decoder. <decoder name="Brocade-login"> <parent>Brocade-format</parent> <type>---------</type> <regex offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:d\d:d\d\s\(\w+\),\s\p\w\w\w-\w\w\w\w\p,\s\w+,\s(\w+),\w+/\w+/\w+/\w+(/\w+),\.*</regex> <order>---------</order> </decoder> Thanks and Regards! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/6d13f649-698c-41bf-b386-08602e9b2f80%40googlegroups.com.
