other basic decoder and rule for openvpn: <!-- openvpn Mar 9 08:15:37 camaleon-1 openvpn[3995]: 192.168.0.4:48679 [kristianpaul] Peer Connec tion Initiated with 192.168.0.4:48679 (via 200.21.200.2) -->
<decoder name="openvpn"> <program_name>openvpn</program_name> </decoder> <decoder name="openvpn-srcip"> <parent>openvpn</parent> <regex>^(\d+.\d+.\d+.\d+):\S+ </regex> <order>srcip</order> </decoder> <!-- I dont get usert yet, so working progress :) --> <decoder name="openvpn-user"> <parent>openvpn</parent> <regex>^\d+.\d+.\d+.\d+:\S+\p(\S+)\p Peer Connection Initiated\S+</ regex> <order>user</order> </decoder> <decoder name="openvpn-user2"> <parent>openvpn</parent> <prematch>(\d+.\d+.\d+.\d+):\S+</prematch> <regex offset="after_prematch">^[(\S+)]</regex> <order>user</order> </decoder> rule: <rule id="100300" level="0"> <decoded_as>openvpn</decoded_as> <description>Grouping of openvpn rules</description> </rule> <rule id="100301" level="3"> <if_sid>100300</if_sid> <match>Peer Connection Initiated with</match> <options>alert_by_email</options> <description>Openvpn Connection Initiated</description> </rule> <rule id="100302" level="3"> <if_sid>100301</if_sid> <user>kristianpaul</user> <description>Paul Openvpn Connection Initiated</description> </rule> </group> Thre is no more rules but easilly you can add for non sucefull and othet types of conections Of course i allo this work be added in the next ossec release if is considered it to worth :p
