Re: [ossec-list] Regex error with logtest, but ok with online regex validator. How to find the error ?

Wed, 13 Jan 2010 07:10:13 -0800 

Hi,

You don't need an escape backslash in front of the slash in your decoder.
Remove that on both of your "\/" combos in the decoders and it should work.
Cf. http://www.ossec.net/wiki/Know_How:Regex_Readme

Kind regards


On Tue, Jan 12, 2010 at 11:52 AM, gilles loriquer <[email protected]> wrote:

> Hey,
>
> I'm trying to add a new format of pix log cause ossec doesn't log my
> format log. Here is the line :
>
> Jan  7 12:18:03 333.333.333.333 %PIX-7-710001: TCP access requested
> from 333.333.333.333/333 to inside:333.333.333.333/https
>
> I wrote the regex and validate it with this website :
> http://www.annuaire-info.com/outil-referencement/expression-reguliere/
>
> You can try to test it with this regex : ^(\w\w\w)  (\d+) (\d+:\d+:\d
> +) \d+.\d+.\d+.\d+ %PIX-(\d-\d+): (\w+) (\w+ \w+) from (\d+.\d+.\d+.\d
> +)\/(\d+) to inside:(\d+.\d+.\d+.\d+)\/(\w+)
>
> Here are my added line in decoder.xml :
>
> <!-- Custom decoder for example -->
> <decoder name="pix-pers">
>  <prematch>^\w\w\w  \d+ \d+:\d+:\d+</prematch>
> </decoder>
>
> <decoder name="pix-pers-alerts">
>  <parent>pix-pers</parent>
>  <regex offset="after_parent">^ \d+.\d+.\d+.\d+ %PIX-(\d-\d+): (\w+)
> (\w+ \w+) from (\d+.\d+.\d+.\d+)\/(\d+) to inside:(\d+.\d+.\d+.\d+)\/
> (\w+)</regex>
>  <order>id, protocol, action, srcip, srcport, dstip, dstport</order>
> </decoder>
>
> Here are my rules in pix-rules.xml
>
> <group name="syslog,pix-pers,">
>  <rule id="111000" level="0">
>    <decoded_as>pix-pers</decoded_as>
>    <description>Grouping of PIX rules by me</description>
>  </rule>
>
>  <rule id="111001" level="8">
>    <if_sid>111000</if_sid>
>    <id>^6-302015</id>
>    <description>Tousdanl'camtar</description>
>  </rule>
> </group>
>
> Here is the result of a logtest :
>
> [r...@template ossec]# bin/ossec-logtest
> 2010/01/12 11:46:34 ossec-analysisd(1450): ERROR: Syntax error on
> regex: '^ \d+.\d+.\d+.\d+ %PIX-(\d-\d+): (\w+) (\w+ \w+) from (\d+.\d+.
> \d+.\d+)\/(\d+) to inside:(\d+.\d+.\d+.\d+)\/(\w+)': 6.
> 2010/01/12 11:46:34 ossec-testrule(1202): ERROR: Configuration error
> at '/etc/decoder.xml'. Exiting.
> [r...@template ossec]#
>
> I'm stucked here. First of all, I took an example on the net of a
> written decoder, but I still misunderstand the way ossec extract the
> date : is it automatically extract by this line ? :
>
> <decoder name="pix-pers">
>  <prematch>^\w\w\w  \d+ \d+:\d+:\d+</prematch>
> </decoder>
>
> ???
>
> Can someone help me to find my mistakes or give me a guide on the
> net ?
>
> Thx
>

Reply via email to