On Fri, Oct 11, 2019 at 11:49 AM Diego S <rabits...@gmail.com> wrote: > > Hi everyone! > > I wondering if we already have on ossec a custom decoder acording to this > kind of log to get the red values. > > 1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO, SECURITY, > diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI, > ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info: Successful login > attempt via REMOTE, IP Addr: pivonox.prod.pci.elan.red.com.uy. >
Running this through ossec-logtest gives me this: **Phase 1: Completed pre-decoding. full event: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO, SECURITY, diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI, ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info: Successful login attempt via REMOTE, IP Addr: pivonox.prod.pci.elan.red.com.uy.' hostname: 'ix' program_name: '(null)' log: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO, SECURITY, diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI, ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info: Successful login attempt via REMOTE, IP Addr: pivonox.prod.pci.elan.red.com.uy.' **Phase 2: Completed decoding. decoder: 'squid-accesslog' **Phase 3: Completed filtering (rules). Rule id: '35000' Level: '0' Description: 'Squid messages grouped.' I get the same output with and without your custom decoder. You'll need to put your decoder before the squid decoder. > > I tried to do a custom one, but without success. > > > I let you here what ive did. > > > > This one is getting the "1022 Audit" for discriminate the one i need to the > rest. > > > <decoder name="Brocade-format"> > > <prematch>^\d+\s\w\w\w\w</prematch> > > </decoder> > > > . > > > And here is when im trying to get the underlined red values at the begining > of the text but im not sure: > > > -The type of the log i have to use or if it is necesary > > -The "order" value i have tho use to take this both red values. > > -The structure of the decoder. > > > <decoder name="Brocade-login"> > > <parent>Brocade-format</parent> > > <type>---------</type> > > <regex > offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:d\d:d\d\s\(\w+\),\s\p\w\w\w-\w\w\w\w\p,\s\w+,\s(\w+),\w+/\w+/\w+/\w+(/\w+),\.*</regex> > > <order>---------</order> > > </decoder> > > > > Thanks and Regards! > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/6d13f649-698c-41bf-b386-08602e9b2f80%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMo7nAub-vgNQod%3DATfMzke3WteHkaTjsR%3DfCJJLeH0QaQ%40mail.gmail.com.