try changing your prematch tag to <prematch>^\w\w\w \d\d \d\d:\d\d:\d\d</prematch>
see here: http://www.ossec.net/doc/manual/rules-decoders/create-custom.html -AK On Wed, Nov 14, 2012 at 8:49 AM, Michiel van Es <vanesmich...@gmail.com> wrote: > Hello, > > I am trying to set up a local_decoder.xml entry to decode our Clavister log > entries. > The clavister logfiles show only outgoing dropped traffic, for example: > > Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] EFW: RULE: prio=6 > id=06000051 rev=1 event=ruleset_drop_packet action=drop > rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14 > destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511 > ack=1 fin=1 > > I could not find an existing clavister decoder so I am trying to write my > own. > I tried something as follows : > > <decoder name="clavister"> > <prematch>^\w+ \d+ \S+ </prematch> > </decoder> > > If I get it correct the ^ is beginning of the line,\w+ = Month, \d+ = day of > month, \S+=time , but its not working as expected, running logtest shows: > > **Phase 1: Completed pre-decoding. > full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] EFW: > RULE: prio=6 id=06000051 rev=1 event=ruleset_drop_packet action=drop > rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14 > destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511 > ack=1 fin=1' > hostname: '10.170.80.3' > program_name: '(null)' > log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=06000051 rev=1 > event=ruleset_drop_packet action=drop rule=d_all_any_to_external > recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP > ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1' > > **Phase 2: Completed decoding. > No decoder matched. > > It does not show the clavister field at Phase 2 which I would expect. > > Can anyone point out what I am doing wrong even with this simpel <prematch> > example? > > Thanks in advance. > > Regards, > > Michiel
