[ossec-list] Re: Regex error with logtest, but ok with online regex validator. How to find the error ?

Wed, 13 Jan 2010 07:10:34 -0800 

Hummmm sorry for my ignorance, I didn't know the logtest tool and my
format log is actualy recognized. My level alert was to low to show up
alerts in my logs files.

Really sorry.

On 12 jan, 11:52, gilles loriquer <[email protected]> wrote:
> Hey,
>
> I'm trying to add a new format of pix log cause ossec doesn't log my
> format log. Here is the line :
>
> Jan  7 12:18:03 333.333.333.333 %PIX-7-710001: TCP access requested
> from 333.333.333.333/333 to inside:333.333.333.333/https
>
> I wrote the regex and validate it with this website 
> :http://www.annuaire-info.com/outil-referencement/expression-reguliere/
>
> You can try to test it with this regex : ^(\w\w\w)  (\d+) (\d+:\d+:\d
> +) \d+.\d+.\d+.\d+ %PIX-(\d-\d+): (\w+) (\w+ \w+) from (\d+.\d+.\d+.\d
> +)\/(\d+) to inside:(\d+.\d+.\d+.\d+)\/(\w+)
>
> Here are my added line in decoder.xml :
>
> <!-- Custom decoder for example -->
> <decoder name="pix-pers">
>   <prematch>^\w\w\w  \d+ \d+:\d+:\d+</prematch>
> </decoder>
>
> <decoder name="pix-pers-alerts">
>   <parent>pix-pers</parent>
>   <regex offset="after_parent">^ \d+.\d+.\d+.\d+ %PIX-(\d-\d+): (\w+)
> (\w+ \w+) from (\d+.\d+.\d+.\d+)\/(\d+) to inside:(\d+.\d+.\d+.\d+)\/
> (\w+)</regex>
>   <order>id, protocol, action, srcip, srcport, dstip, dstport</order>
> </decoder>
>
> Here are my rules in pix-rules.xml
>
> <group name="syslog,pix-pers,">
>   <rule id="111000" level="0">
>     <decoded_as>pix-pers</decoded_as>
>     <description>Grouping of PIX rules by me</description>
>   </rule>
>
>   <rule id="111001" level="8">
>     <if_sid>111000</if_sid>
>     <id>^6-302015</id>
>     <description>Tousdanl'camtar</description>
>   </rule>
> </group>
>
> Here is the result of a logtest :
>
> [r...@template ossec]# bin/ossec-logtest
> 2010/01/12 11:46:34 ossec-analysisd(1450): ERROR: Syntax error on
> regex: '^ \d+.\d+.\d+.\d+ %PIX-(\d-\d+): (\w+) (\w+ \w+) from (\d+.\d+.
> \d+.\d+)\/(\d+) to inside:(\d+.\d+.\d+.\d+)\/(\w+)': 6.
> 2010/01/12 11:46:34 ossec-testrule(1202): ERROR: Configuration error
> at '/etc/decoder.xml'. Exiting.
> [r...@template ossec]#
>
> I'm stucked here. First of all, I took an example on the net of a
> written decoder, but I still misunderstand the way ossec extract the
> date : is it automatically extract by this line ? :
>
> <decoder name="pix-pers">
>   <prematch>^\w\w\w  \d+ \d+:\d+:\d+</prematch>
> </decoder>
>
> ???
>
> Can someone help me to find my mistakes or give me a guide on the
> net ?
>
> Thx

Reply via email to