I'm running OSSEC 2.3.
Here's a sample log message and the decoder to parse it:
<!--
Dec 21 15:19:21 hostname ftpd[10814]: FTP LOGIN FROM
client.example.org[10.0.0.1], jones_b
-->
<decoder name="local-wuftpd-login-ip-user">
<parent>ftpd</parent>
<prematch>^FTP LOGIN FROM \S+ [\d+.\d+.\d+.\d+], \w+$</prematch>
<regex>[(\d+.\d+.\d+.\d+)], (\w+)$</regex>
<order>srcip, user</order>
</decoder>
If I add this decoder to decoder.xml immediately after the following
decoder...
<decoder name="ftpd">
<program_name>^ftpd|^in.ftpd</program_name>
</decoder>
...and I run ossec-logtest with the sample message the output is:
**Phase 1: Completed pre-decoding.
full event: 'Dec 21 15:19:21 hostname ftpd[10814]: FTP LOGIN FROM
client.example.org [10.0.0.1], jones_b'
hostname: 'hostname'
program_name: 'ftpd'
log: 'FTP LOGIN FROM client.example.org [10.0.0.1], jones_b'
**Phase 2: Completed decoding.
decoder: 'ftpd'
srcip: '10.0.0.1'
dstuser: 'jones_b'
i.e. the srcip and dstuser are correctly parsed out.
However, if I add this decoder further down in decoder.xml after...
<decoder name="ftpd-ip">
<parent>ftpd</parent>
<regex>from (\d+.\d+.\d+.\d+)$</regex>
<order>srcip</order>
</decoder>
...and I run ossec-logtest with the sample message the output is:
**Phase 1: Completed pre-decoding.
full event: 'Dec 21 15:19:21 hostname ftpd[10814]: FTP LOGIN FROM
client.example.org [10.0.0.1], jones_b'
hostname: 'hostname'
program_name: 'ftpd'
log: 'FTP LOGIN FROM client.example.org [10.0.0.1], jones_b'
**Phase 2: Completed decoding.
decoder: 'ftpd'
i.e. the srcip and dstuser are NOT parsed out.
I'm pretty new to OSSEC.
What am I missing?
Thanks
Stephen
