<https://lh3.googleusercontent.com/-goVkGAKkokA/WSwZOSbxDYI/AAAAAAAAAA4/Z79NPxV6n1UQO7VvdR5w0TLl29L8dk0YgCLcB/s1600/updateruleset.JPG> Hi Jesus, thanks for the help!
I had tested this too, but I did not succeed. I tried put vd=\.* and it did not work. I think there was some junk in the file. I ran update_ruleset.py, I put the rule there and it worked. I do not know what happened. Em segunda-feira, 29 de maio de 2017 06:48:24 UTC-3, Jesus Linares escreveu: > > Hi, > > your prematch is wrong: > > - log: [...] vd=root logdesc [...] > - prematch: [...] vd=*"*\.+*"* [...] > > > Try this one: > > <!-- > date=2017-05-20 time=07:31:20 devname=Fw1-sa-dc2d-g56 > devid=FGT60D0000000000 logid=01016745858 type=event subtype=vpn > level=notice vd=root logdesc="IPsec phase 2 status changed" msg="IPsec > phase 2 status change" action=phase2-down remip=1.1.1.1 locip=2.2.2.2 > remport=500 locport=500 outintf="wan2" > cookies="dfaf555664477957/b55566998873c6f9" user="N/A" group="N/A" > xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="VPN_XPTO" > phase2_name=VPN_XPTO > --> > <decoder name="fortigate-firewall-v5-event-vpn-fields4"> > <parent>fortigate-firewall-v5</parent> > <prematch offset="after_parent">type=event subtype=vpn level= > </prematch> > <regex>logdesc="\.+" msg="(\.+)" action=(\.*) remip=(\S+) locip=(\S+) > \.*vpntunnel="(\.*)"</regex> > <order>extra_data,action,dstip,srcip,status</order> > </decoder> > > > **Phase 2: Completed decoding. > decoder: 'fortigate-firewall-v5' > extra_data: 'IPsec phase 2 status change' > action: 'phase2-down' > dstip: '1.1.1.1' > srcip: '2.2.2.2' > status: 'VPN_XPTO' > > > **Phase 3: Completed filtering (rules). > Rule id: '81603' > Level: '0' > Description: 'Fortigate messages grouped.' > > > I hope it helps. > Regards. > > > > > On Sunday, May 28, 2017 at 4:41:24 PM UTC+2, RWagner wrote: >> >> Ooops! >> >> Correcting the decoder parent and my decoder: >> >> Decoder parent: >> <decoder name="fortigate-firewall-v5"> >> <prematch>date=\S+ time=\.+ devname=\S+ devid=FG\w+ logid=\d+ >> </prematch> >> <type>syslog</type> >> </decoder> >> >> >> My decoder: >> <decoder name="fortigate-firewall-v5-event-vpn-fields4"> >> <parent>fortigate-firewall-v5</parent> >> <prematch offset="after_parent">type=event subtype=vpn level=\S+ >> vd="\.+" logdesc="\.+" msg=</prematch> >> <regex>logdesc="\.+" msg="(\.+)" action=(\.*) remip=(\S+) locip=(\S+) >> \.*vpntunnel="(\.*)"</regex> >> <order>extra_data,action,dstip,srcip,status</order> >> </decoder> >> >> Em domingo, 28 de maio de 2017 11:38:16 UTC-3, RWagner escreveu: >>> >>> >>> <https://lh3.googleusercontent.com/-n47to6eHiT8/WSrf3ePZq2I/AAAAAAAAAAM/oDmoGiNxQCMbTKeSY_ZXpouAclLZBSoIACLcB/s1600/ossec-logtest%2Bresult.JPG> >>> Hi Guys! >>> >>> I'm making a decoder for problems with vpn phase_2 for the fortigate. >>> >>> Sample log: >>> date=2017-05-20 time=07:31:20 devname=Fw1-sa-dc2d-g56 >>> devid=FGT60D0000000000 logid=01016745858 type=event subtype=vpn >>> level=notice vd=root logdesc="IPsec phase 2 status changed" msg="IPsec >>> phase 2 status change" action=phase2-down remip=1.1.1.1 locip=2.2.2.2 >>> remport=500 locport=500 outintf="wan2" >>> cookies="dfaf555664477957/b55566998873c6f9" user="N/A" group="N/A" >>> xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="VPN_XPTO" >>> phase2_name=VPN_XPTO >>> >>> >>> Decoder parent: >>> <Decoder name = "fortigate-firewall-v5"> >>> <Divatch> date = \ S + time = \. + Devname = \ S + devid = FG \ w + >>> logid = \ d + >>> <Type> syslog </ type> >>> </ Decoder> >>> >>> >>> My decoder: >>> <Decoder name = "fortigate-firewall-v5-event-vpn-fields4"> >>> <Parent> fortigate-firewall-v5 </ parent> >>> </ Div> </ div> </ div> </ div> </ div> <div class = >>> <Regex> logdesc = "\. +" Msg = "(\. +)" Action = (\. *) Remip = (\ >>> S +) locip = </ Regex> >>> <Order> extra_data, action, dstip, srcip, status </ order> >>> </ Decoder> >>> >>> In the image with the test done with the logtest, does not show data >>> extra_data, action, dstip, srcip, status. >>> >>> I wonder what's wrong with my decoder. >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.