I'm sure it can be cleaned up a lot

On Fri, Oct 11, 2019 at 12:06 PM dan (ddp) <ddp...@gmail.com> wrote:
>
> On Fri, Oct 11, 2019 at 11:49 AM Diego S <rabits...@gmail.com> wrote:
> >
> > Hi everyone!
> >
> > I wondering if we already have on ossec a custom decoder acording to this 
> > kind of log to get the red values.
> >
> > 1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO, SECURITY, 
> > diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI, 
> > ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info: Successful 
> > login attempt via REMOTE, IP Addr: pivonox.prod.pci.elan.red.com.uy.
> >
>
> Running this through ossec-logtest gives me this:
> **Phase 1: Completed pre-decoding.
>        full event: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020],
> INFO, SECURITY,
> diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
> ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
> Successful login attempt via REMOTE, IP Addr:
> pivonox.prod.pci.elan.red.com.uy.'
>        hostname: 'ix'
>        program_name: '(null)'
>        log: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO,
> SECURITY, diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
> ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
> Successful login attempt via REMOTE, IP Addr:
> pivonox.prod.pci.elan.red.com.uy.'
>
> **Phase 2: Completed decoding.
>        decoder: 'squid-accesslog'
>
> **Phase 3: Completed filtering (rules).
>        Rule id: '35000'
>        Level: '0'
>        Description: 'Squid messages grouped.'
>
> I get the same output with and without your custom decoder. You'll
> need to put your decoder before the squid decoder.
>

I put this before the squid-accesslog decoder in decoder.xml:
<decoder name="Brocade-format">
  <prematch>^\d+\s\w\w\w\w\w, </prematch>
</decoder>
<decoder name="Brocade-login">
  <parent>Brocade-format</parent>
  <!--<regex 
offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:d\d:d\d\s\(\w+\),\s\p\w\w\w-\w\w\w\w\p,\s\w+,\s(\w+),\w+/\w+/\w+/\w+(/\w+),\.*</regex>-->
  <regex offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d
\(\S+\), \[\S+\], \S+, \S+, (\S+)/\S+(/\w+/\S+),</regex>
  <order>user,second</order>
</decoder>

Now I get the following output:
**Phase 1: Completed pre-decoding.
       full event: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020],
INFO, SECURITY,
diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
Successful login attempt via REMOTE, IP Addr:
pivonox.prod.pci.elan.red.com.uy.'
       hostname: 'ix'
       program_name: '(null)'
       log: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO,
SECURITY, diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
Successful login attempt via REMOTE, IP Addr:
pivonox.prod.pci.elan.red.com.uy.'

**Phase 2: Completed decoding.
       decoder: 'Brocade-format'
       dstuser: 'diego.gonzales'
       second: '/ssh/CLI'

I'm sure it can be cleaned up a lot, and using pcre2 might make it even better.

> >
> > I tried to do a custom one, but without success.
> >
> >
> > I let you here what ive did.
> >
> >
> >
> > This one is getting the "1022 Audit" for discriminate the one i need to the 
> > rest.
> >
> >
> > <decoder name="Brocade-format">
> >
> >   <prematch>^\d+\s\w\w\w\w</prematch>
> >
> > </decoder>
> >
> >
> > .
> >
> >
> >  And here is when im trying to get the underlined red values at the 
> > begining of the text but im not sure:
> >
> >
> > -The type of the log i have to use or if it is necesary
> >
> > -The "order" value i have tho use to take this both red values.
> >
> > -The structure of the decoder.
> >
> >
> > <decoder name="Brocade-login">
> >
> >   <parent>Brocade-format</parent>
> >
> >   <type>---------</type>
> >
> >   <regex 
> > offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:d\d:d\d\s\(\w+\),\s\p\w\w\w-\w\w\w\w\p,\s\w+,\s(\w+),\w+/\w+/\w+/\w+(/\w+),\.*</regex>
> >
> >   <order>---------</order>
> >
> > </decoder>
> >
> >
> >
> > Thanks and Regards!
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups 
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to ossec-list+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit 
> > https://groups.google.com/d/msgid/ossec-list/6d13f649-698c-41bf-b386-08602e9b2f80%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMrUmbPfA1FwgzCXGAa2neBHW37pBDnWj0d4tNFxUKAaBQ%40mail.gmail.com.

Reply via email to