It must be nice to have people do your work for you. On Thu, Mar 1, 2012 at 3:06 AM, C. L. Martinez <carlopm...@gmail.com> wrote: > On Wed, Feb 29, 2012 at 4:52 PM, Viktor Gazdag <woodsp...@gmail.com> wrote: >> Hi! >> >> I made quickly this decoder and after that, you can see the ossec-logtest >> output! The interface is not there, i know. :/ >> I hope it is good for you or help something! :) If you have any question, >> feel free to ask! >> >> <decoder name="custom_checkpoint"> >> <prematch>"\d+" "\d+\w+\d+" "\d+:\d+:\d+" "(\S+)" "CHCKPNT1"</prematch> >> <regex offset="after_prematch">"\w+" "(\w+)" "\S+" "(\d+)" "(\S+)" "(\w+)" >> "(\w+)"</regex> >> <order>action, srcport, srcip, dstip, protocol</order> >> </decoder> >> >> >> **Phase 2: Completed decoding. >> decoder: 'custom_checkpoint' >> action: 'Accept' >> srcport: '61347' >> srcip: 'srv01' >> dstip: 'srvdns' >> proto: 'udp' >> >> Best regards >> woodspeed >> >> > > Many thanks Viktor ... but with some logs works, but with anothers > not. For example: > > a) works > > **Phase 1: Completed pre-decoding. > full event: '"14" "26Feb2012" "23:58:59" "bond0.30" "CHCKPNT1" > "Log" "Accept" "domain-udp" "49505" "mysrv01" "srvdns01" "udp" "82" "" > "82-Standard" "" "inzone: Internal; outzone: Internal; service_id: > domain-udp" "VPN-1 Power/UTM" "" ""^M' > hostname: 'cosclunode02' > program_name: '(null)' > log: '"14" "26Feb2012" "23:58:59" "bond0.30" "CHCKPNT1" "Log" > "Accept" "domain-udp" "49505" "mysrv01" "srvdns01" "udp" "82" "" > "82-Standard" "" "inzone: Internal; outzone: Internal; service_id: > domain-udp" "VPN-1 Power/UTM" "" ""^M' > > **Phase 2: Completed decoding. > decoder: 'custom-checkpoint-fw' > action: 'Accept' > srcport: '49505' > srcip: 'mysrv01' > dstip: 'srvdns01' > proto: 'udp' > > > b) here, doesn't works: > > **Phase 1: Completed pre-decoding. > full event: '"13" "26Feb2012" "23:58:59" "bond0.405" "CHCKPNT1" > "Log" "Accept" "http" "3336" "wrk01" "192.168.209.167" "tcp" "53" "" > "53-Standard" "" "service_id: http" "VPN-1 Power/UTM" "" ""^M' > hostname: 'cosclunode02' > program_name: '(null)' > log: '"13" "26Feb2012" "23:58:59" "bond0.405" "CHCKPNT1" "Log" > "Accept" "http" "3336" "wrk01" "192.168.209.167" "tcp" "53" "" > "53-Standard" "" "service_id: http" "VPN-1 Power/UTM" "" ""^M' > > **Phase 2: Completed decoding. > decoder: 'custom-checkpoint-fw'
I'm not sure how it can match the decoder without matching everything. Are you using the exact decoder that Viktor posted? Or is there more there that might be getting in the way? The logs look basically the same.
