[ossec-list] Re: Help with decoder

Sun, 28 May 2017 07:41:45 -0700 

Ooops!

Correcting the decoder parent and my decoder:

Decoder parent:
<decoder name="fortigate-firewall-v5">
    <prematch>date=\S+ time=\.+ devname=\S+ devid=FG\w+ logid=\d+ 
</prematch>
    <type>syslog</type>
</decoder>


My decoder:
<decoder name="fortigate-firewall-v5-event-vpn-fields4">
    <parent>fortigate-firewall-v5</parent>
    <prematch offset="after_parent">type=event subtype=vpn level=\S+ 
vd="\.+" logdesc="\.+" msg=</prematch>
    <regex>logdesc="\.+" msg="(\.+)" action=(\.*) remip=(\S+) locip=(\S+) 
\.*vpntunnel="(\.*)"</regex>
    <order>extra_data,action,dstip,srcip,status</order>
</decoder>

Em domingo, 28 de maio de 2017 11:38:16 UTC-3, RWagner escreveu:
>
>
> <https://lh3.googleusercontent.com/-n47to6eHiT8/WSrf3ePZq2I/AAAAAAAAAAM/oDmoGiNxQCMbTKeSY_ZXpouAclLZBSoIACLcB/s1600/ossec-logtest%2Bresult.JPG>
> Hi Guys!
>
> I'm making a decoder for problems with vpn phase_2 for the fortigate.
>
> Sample log:
> date=2017-05-20 time=07:31:20 devname=Fw1-sa-dc2d-g56 
> devid=FGT60D0000000000 logid=01016745858 type=event subtype=vpn 
> level=notice vd=root logdesc="IPsec phase 2 status changed" msg="IPsec 
> phase 2 status change" action=phase2-down remip=1.1.1.1 locip=2.2.2.2 
> remport=500 locport=500 outintf="wan2" 
> cookies="dfaf555664477957/b55566998873c6f9" user="N/A" group="N/A" 
> xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="VPN_XPTO" 
> phase2_name=VPN_XPTO
>
>
> Decoder parent:
> <Decoder name = "fortigate-firewall-v5">
>     <Divatch> date = \ S + time = \. + Devname = \ S + devid = FG \ w + 
> logid = \ d +
>     <Type> syslog </ type>
> </ Decoder>
>
>
> My decoder:
> <Decoder name = "fortigate-firewall-v5-event-vpn-fields4">
>     <Parent> fortigate-firewall-v5 </ parent>
>     </ Div> </ div> </ div> </ div> </ div> <div class =
>     <Regex> logdesc = "\. +" Msg = "(\. +)" Action = (\. *) Remip = (\ S 
> +) locip = </ Regex>
>     <Order> extra_data, action, dstip, srcip, status </ order>
> </ Decoder>
>
> In the image with the test done with the logtest, does not show data 
> extra_data, action, dstip, srcip, status.
>
> I wonder what's wrong with my decoder.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to