Hi Josh, try with this decoder:
<decoder name="arlog"> <prematch>^AR-LOG</prematch> </decoder> <decoder name="arlog-skype"> <parent>arlog</parent> <regex offset="after_parent"> \|\.+\|\.+\|\.+\|\.+\|(\S+)\|\.+\|(\S+)\|\S+\|\.+\|\.+\|(\.+)\|</regex> <order>id,action,url</order> </decoder> ossec-logtest: AR-LOG|DD-RE2|05/20/2016 12:39:00|4/8/2016 4:42 PM|HKCU\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run|Skype|enabled|Logon|DD-RE2\ddadmin|Skype |Skype Technologies S.A.|c:\program files (x86)\skype\phone\skype.exe|7.22.85.109| ""C:\Program Files (x86)\Skype\Phone\Skype.exe"" /minimized /regrun| 1DBD44E4C19F6EC1665A89ABC884DF56|ADC1CF4AD8C6F944E31E4649BE16B186EE19D793| BCC10DF9F36B1727DBA310827CC2A6AC5C9B0D4D| 1DA131F21C1A7BAF8C70272FCE5E4288E021CB434D12A28784344E02CBEA3BFA| 169D5B005368A12B6F499F7B655540884BD47D872D74AAD73CD035356DA148A9| A9159194FEF672CA050D5D2DC9E64017 **Phase 1: Completed pre-decoding. full event: 'AR-LOG|DD-RE2|05/20/2016 12:39:00|4/8/2016 4:42 PM|HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Skype|enabled|Logon|DD-RE2\ddadmin|Skype |Skype Technologies S.A.|c:\program files (x86)\skype\phone\skype.exe|7.22.85.109|""C:\Program Files (x86)\Skype\Phone\Skype.exe"" /minimized /regrun|1DBD44E4C19F6EC1665A89ABC884DF56|ADC1CF4AD8C6F944E31E4649BE16B186EE19D793|BCC10DF9F36B1727DBA310827CC2A6AC5C9B0D4D|1DA131F21C1A7BAF8C70272FCE5E4288E021CB434D12A28784344E02CBEA3BFA|169D5B005368A12B6F499F7B655540884BD47D872D74AAD73CD035356DA148A9|A9159194FEF672CA050D5D2DC9E64017' hostname: 'LinMV' program_name: '(null)' log: 'AR-LOG|DD-RE2|05/20/2016 12:39:00|4/8/2016 4:42 PM|HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Skype|enabled|Logon|DD-RE2\ddadmin|Skype |Skype Technologies S.A.|c:\program files (x86)\skype\phone\skype.exe|7.22.85.109|""C:\Program Files (x86)\Skype\Phone\Skype.exe"" /minimized /regrun|1DBD44E4C19F6EC1665A89ABC884DF56|ADC1CF4AD8C6F944E31E4649BE16B186EE19D793|BCC10DF9F36B1727DBA310827CC2A6AC5C9B0D4D|1DA131F21C1A7BAF8C70272FCE5E4288E021CB434D12A28784344E02CBEA3BFA|169D5B005368A12B6F499F7B655540884BD47D872D74AAD73CD035356DA148A9|A9159194FEF672CA050D5D2DC9E64017' **Phase 2: Completed decoding. decoder: 'arlog' id: 'Skype' action: 'Logon' url: 'c:\program files (x86)\skype\phone\skype.exe' **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '0' Description: 'Unknown problem somewhere in the system.' I hope it helps. Regards, Jesus Linares. On Saturday, May 21, 2016 at 1:14:04 PM UTC+2, DefensiveDepth wrote: > > I am attempting to write a decoder for the following log (it is delimited > with a pipe) - I have pre-matched to "AR-LOG" and am attempting to pull out > "Skype" "Logon" & the program path "c:\program files > (x86)\skype\phone\skype.exe" > > I am attempting to do a \.* to every | (which I have to escape), but am > having trouble since besides the pipes there is no other literal characters > I can tie into. Any thoughts or comments on a way forward? I do have the > ability to modify these logs before they are processed through OSSEC. > > > *2016 May 20 16:39:21 (DD-C-PROD) 192.168.1.18->ar-normalized.log > AR-LOG|DD-RE2|05/20/2016 12:39:00|4/8/2016 4:42 > PM|HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Skype|enabled|Logon|DD-RE2\ddadmin|Skype > > |Skype Technologies S.A.|c:\program files > (x86)\skype\phone\skype.exe|7.22.85.109|""C:\Program Files > (x86)\Skype\Phone\Skype.exe"" /minimized > /regrun|1DBD44E4C19F6EC1665A89ABC884DF56|ADC1CF4AD8C6F944E31E4649BE16B186EE19D793|BCC10DF9F36B1727DBA310827CC2A6AC5C9B0D4D|1DA131F21C1A7BAF8C70272FCE5E4288E021CB434D12A28784344E02CBEA3BFA|169D5B005368A12B6F499F7B655540884BD47D872D74AAD73CD035356DA148A9|A9159194FEF672CA050D5D2DC9E64017* > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.