You do not need to use perl or python for this. You will need to use decode.xml to pull the info you want out. here is a completely untested just typed in email snippet for decode.xml.
decoder.xml: <decoder name="openvpn"> <program_name>^openvpnserver</program_name> </decoder> <decoder name="openvpn-invalid-cert"> <parent>openvpn</parent> <regex offset="after_parent">(\d+.\d+.\d+.\d+):\d+ TLS Error</regex> <order>srcip</order> </decoder> Please see http://www.ossec.net/wiki/Decoder_rules_relation for full details. On Dec 4, 2009, at 11:24 AM, Jeremy Lee wrote: > I'm thinking a perl/python script to do the job, otherwise a combination of > awk, sed, and cut ? > > 2009/12/3 Lfi <[email protected]> > Hi, I created rule for OpenVPN log with a "bad word" "TLS Error: TLS > handshake failed". I'm getting a mail alert like this: > > OSSEC HIDS Notification. > 2009 Dec 01 13:25:12 > > Received From: (OPENVPN) 192.168.30.200->/var/log/messages > Rule: 1009 fired (level 10) -> "Certificate not valid/expired or connection > error" > Portion of the log(s): > > Dec 1 13:23:15 thunderstruck openvpnserver[813]: 82.42.227.22:1194 TLS > Error: TLS handshake failed > > > > --END OF NOTIFICATION > > I want to extract IP from this portion of log (in this case 82.42.227.22) and > block it by Active Response :) >
