I'm sure it can be cleaned up a lot
On Fri, Oct 11, 2019 at 12:06 PM dan (ddp) <ddp...@gmail.com> wrote:
>
> On Fri, Oct 11, 2019 at 11:49 AM Diego S <rabits...@gmail.com> wrote:
> >
> > Hi everyone!
> >
> > I wondering if we already have on ossec a custom decoder acording to this
> > kind of log to get the red values.
> >
> > 1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO, SECURITY,
> > diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
> > ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info: Successful
> > login attempt via REMOTE, IP Addr: pivonox.prod.pci.elan.red.com.uy.
> >
>
> Running this through ossec-logtest gives me this:
> **Phase 1: Completed pre-decoding.
> full event: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020],
> INFO, SECURITY,
> diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
> ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
> Successful login attempt via REMOTE, IP Addr:
> pivonox.prod.pci.elan.red.com.uy.'
> hostname: 'ix'
> program_name: '(null)'
> log: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO,
> SECURITY, diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
> ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
> Successful login attempt via REMOTE, IP Addr:
> pivonox.prod.pci.elan.red.com.uy.'
>
> **Phase 2: Completed decoding.
> decoder: 'squid-accesslog'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '35000'
> Level: '0'
> Description: 'Squid messages grouped.'
>
> I get the same output with and without your custom decoder. You'll
> need to put your decoder before the squid decoder.
>
I put this before the squid-accesslog decoder in decoder.xml:
<decoder name="Brocade-format">
<prematch>^\d+\s\w\w\w\w\w, </prematch>
</decoder>
<decoder name="Brocade-login">
<parent>Brocade-format</parent>
<!--<regex
offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:d\d:d\d\s\(\w+\),\s\p\w\w\w-\w\w\w\w\p,\s\w+,\s(\w+),\w+/\w+/\w+/\w+(/\w+),\.*</regex>-->
<regex offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d
\(\S+\), \[\S+\], \S+, \S+, (\S+)/\S+(/\w+/\S+),</regex>
<order>user,second</order>
</decoder>
Now I get the following output:
**Phase 1: Completed pre-decoding.
full event: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020],
INFO, SECURITY,
diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
Successful login attempt via REMOTE, IP Addr:
pivonox.prod.pci.elan.red.com.uy.'
hostname: 'ix'
program_name: '(null)'
log: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO,
SECURITY, diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
Successful login attempt via REMOTE, IP Addr:
pivonox.prod.pci.elan.red.com.uy.'
**Phase 2: Completed decoding.
decoder: 'Brocade-format'
dstuser: 'diego.gonzales'
second: '/ssh/CLI'
I'm sure it can be cleaned up a lot, and using pcre2 might make it even better.
> >
> > I tried to do a custom one, but without success.
> >
> >
> > I let you here what ive did.
> >
> >
> >
> > This one is getting the "1022 Audit" for discriminate the one i need to the
> > rest.
> >
> >
> > <decoder name="Brocade-format">
> >
> > <prematch>^\d+\s\w\w\w\w</prematch>
> >
> > </decoder>
> >
> >
> > .
> >
> >
> > And here is when im trying to get the underlined red values at the
> > begining of the text but im not sure:
> >
> >
> > -The type of the log i have to use or if it is necesary
> >
> > -The "order" value i have tho use to take this both red values.
> >
> > -The structure of the decoder.
> >
> >
> > <decoder name="Brocade-login">
> >
> > <parent>Brocade-format</parent>
> >
> > <type>---------</type>
> >
> > <regex
> > offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:d\d:d\d\s\(\w+\),\s\p\w\w\w-\w\w\w\w\p,\s\w+,\s(\w+),\w+/\w+/\w+/\w+(/\w+),\.*</regex>
> >
> > <order>---------</order>
> >
> > </decoder>
> >
> >
> >
> > Thanks and Regards!
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit
> > https://groups.google.com/d/msgid/ossec-list/6d13f649-698c-41bf-b386-08602e9b2f80%40googlegroups.com.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/CAMyQvMrUmbPfA1FwgzCXGAa2neBHW37pBDnWj0d4tNFxUKAaBQ%40mail.gmail.com.
