I'm sure it can be cleaned up a lot On Fri, Oct 11, 2019 at 12:06 PM dan (ddp) <ddp...@gmail.com> wrote: > > On Fri, Oct 11, 2019 at 11:49 AM Diego S <rabits...@gmail.com> wrote: > > > > Hi everyone! > > > > I wondering if we already have on ossec a custom decoder acording to this > > kind of log to get the red values. > > > > 1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO, SECURITY, > > diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI, > > ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info: Successful > > login attempt via REMOTE, IP Addr: pivonox.prod.pci.elan.red.com.uy. > > > > Running this through ossec-logtest gives me this: > **Phase 1: Completed pre-decoding. > full event: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], > INFO, SECURITY, > diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI, > ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info: > Successful login attempt via REMOTE, IP Addr: > pivonox.prod.pci.elan.red.com.uy.' > hostname: 'ix' > program_name: '(null)' > log: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO, > SECURITY, diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI, > ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info: > Successful login attempt via REMOTE, IP Addr: > pivonox.prod.pci.elan.red.com.uy.' > > **Phase 2: Completed decoding. > decoder: 'squid-accesslog' > > **Phase 3: Completed filtering (rules). > Rule id: '35000' > Level: '0' > Description: 'Squid messages grouped.' > > I get the same output with and without your custom decoder. You'll > need to put your decoder before the squid decoder. >
I put this before the squid-accesslog decoder in decoder.xml: <decoder name="Brocade-format"> <prematch>^\d+\s\w\w\w\w\w, </prematch> </decoder> <decoder name="Brocade-login"> <parent>Brocade-format</parent> <!--<regex offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:d\d:d\d\s\(\w+\),\s\p\w\w\w-\w\w\w\w\p,\s\w+,\s(\w+),\w+/\w+/\w+/\w+(/\w+),\.*</regex>--> <regex offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d \(\S+\), \[\S+\], \S+, \S+, (\S+)/\S+(/\w+/\S+),</regex> <order>user,second</order> </decoder> Now I get the following output: **Phase 1: Completed pre-decoding. full event: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO, SECURITY, diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI, ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info: Successful login attempt via REMOTE, IP Addr: pivonox.prod.pci.elan.red.com.uy.' hostname: 'ix' program_name: '(null)' log: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO, SECURITY, diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI, ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info: Successful login attempt via REMOTE, IP Addr: pivonox.prod.pci.elan.red.com.uy.' **Phase 2: Completed decoding. decoder: 'Brocade-format' dstuser: 'diego.gonzales' second: '/ssh/CLI' I'm sure it can be cleaned up a lot, and using pcre2 might make it even better. > > > > I tried to do a custom one, but without success. > > > > > > I let you here what ive did. > > > > > > > > This one is getting the "1022 Audit" for discriminate the one i need to the > > rest. > > > > > > <decoder name="Brocade-format"> > > > > <prematch>^\d+\s\w\w\w\w</prematch> > > > > </decoder> > > > > > > . > > > > > > And here is when im trying to get the underlined red values at the > > begining of the text but im not sure: > > > > > > -The type of the log i have to use or if it is necesary > > > > -The "order" value i have tho use to take this both red values. > > > > -The structure of the decoder. > > > > > > <decoder name="Brocade-login"> > > > > <parent>Brocade-format</parent> > > > > <type>---------</type> > > > > <regex > > offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:d\d:d\d\s\(\w+\),\s\p\w\w\w-\w\w\w\w\p,\s\w+,\s(\w+),\w+/\w+/\w+/\w+(/\w+),\.*</regex> > > > > <order>---------</order> > > > > </decoder> > > > > > > > > Thanks and Regards! > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > To view this discussion on the web visit > > https://groups.google.com/d/msgid/ossec-list/6d13f649-698c-41bf-b386-08602e9b2f80%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMrUmbPfA1FwgzCXGAa2neBHW37pBDnWj0d4tNFxUKAaBQ%40mail.gmail.com.