Hey, I'm trying to add a new format of pix log cause ossec doesn't log my format log. Here is the line :
Jan 7 12:18:03 333.333.333.333 %PIX-7-710001: TCP access requested from 333.333.333.333/333 to inside:333.333.333.333/https I wrote the regex and validate it with this website : http://www.annuaire-info.com/outil-referencement/expression-reguliere/ You can try to test it with this regex : ^(\w\w\w) (\d+) (\d+:\d+:\d +) \d+.\d+.\d+.\d+ %PIX-(\d-\d+): (\w+) (\w+ \w+) from (\d+.\d+.\d+.\d +)\/(\d+) to inside:(\d+.\d+.\d+.\d+)\/(\w+) Here are my added line in decoder.xml : <!-- Custom decoder for example --> <decoder name="pix-pers"> <prematch>^\w\w\w \d+ \d+:\d+:\d+</prematch> </decoder> <decoder name="pix-pers-alerts"> <parent>pix-pers</parent> <regex offset="after_parent">^ \d+.\d+.\d+.\d+ %PIX-(\d-\d+): (\w+) (\w+ \w+) from (\d+.\d+.\d+.\d+)\/(\d+) to inside:(\d+.\d+.\d+.\d+)\/ (\w+)</regex> <order>id, protocol, action, srcip, srcport, dstip, dstport</order> </decoder> Here are my rules in pix-rules.xml <group name="syslog,pix-pers,"> <rule id="111000" level="0"> <decoded_as>pix-pers</decoded_as> <description>Grouping of PIX rules by me</description> </rule> <rule id="111001" level="8"> <if_sid>111000</if_sid> <id>^6-302015</id> <description>Tousdanl'camtar</description> </rule> </group> Here is the result of a logtest : [r...@template ossec]# bin/ossec-logtest 2010/01/12 11:46:34 ossec-analysisd(1450): ERROR: Syntax error on regex: '^ \d+.\d+.\d+.\d+ %PIX-(\d-\d+): (\w+) (\w+ \w+) from (\d+.\d+. \d+.\d+)\/(\d+) to inside:(\d+.\d+.\d+.\d+)\/(\w+)': 6. 2010/01/12 11:46:34 ossec-testrule(1202): ERROR: Configuration error at '/etc/decoder.xml'. Exiting. [r...@template ossec]# I'm stucked here. First of all, I took an example on the net of a written decoder, but I still misunderstand the way ossec extract the date : is it automatically extract by this line ? : <decoder name="pix-pers"> <prematch>^\w\w\w \d+ \d+:\d+:\d+</prematch> </decoder> ??? Can someone help me to find my mistakes or give me a guide on the net ? Thx
