Hi Alec, The problem is that your decoder will only be called if the "checkpoint-syslog" one matches. However, it will not match because we expect the logs to have the date and time, like:
Checkpoint: 3Apr2008 15:02:15 monitor While yours only have: Checkpoint: 1:38:54 accept Can you change your config to look like: http://www.ossec.net/wiki/index.php/Checkpoint_Config_Example ? If not, you will have to slightly modify the main decoder to work with your logs. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Sat, Jun 7, 2008 at 3:45 PM, Alec <[EMAIL PROTECTED]> wrote: > Hi > I am attemting to write decoder and some rules to get Checkpoint firewall > audit logs into ossec. > i am getting checkpoint logs by syslog to separated file monitored by ossec > server. > my firewall log looks like that: > May 28 15:43:39 192.168.11.100 Checkpoint: 1:38:54 accept 192.168.11.100 > < ObjectName: cpmodule; ObjectType: firewall_application; ObjectTable: > applications; Operation: Install Policy; Uid: > {776C2062-145B-11DD-93F0-000000008989}; Administrator: admin; Machine: none; > Subject: Policy Installation; Audit Status: Success; Additional Info: > Security Policy : Standard; Operation Number: 7; product: SmartDashboard; > > i added decoder to the end of decoder.xml: > > <decoder name="checkpoint-syslog-audit"> > <parent>checkpoint-syslog</parent> > <type>syslog</type> > <prematch offset="after_parent">^accept</prematch> > <regex offset="after_parent">^\w+\s(\d+.\d+.\d+.\d+)\W+.+Operation: > ([^;]+)</regex> > <order>srcip, action</order> > </decoder> > > in the local_rules.xml i added one rule: > > <rule id="110001" level="3"> > <decoded_as>checkpoint-syslog-audit</decoded_as> > <description>Checkpoint firewall policy installation</description> > </rule> > > but still see nothing in the alerts.log > > Does anyone has any clue? > > Thanks. >
