Hi, I' m configuring new decoders for Asterisk logs and I have a problem with srcip and user log.
This is the sample log: [2010-05-04 09:05:08] NOTICE[14791]: chan_iax2.c:5831 register_verify: Host 192.168.20.18 failed MD5 authentication for '2345' (a94e219193704e95eac2c8f06fa04f2d != de7a1122e0651aac606f265bad09fa85) And this is the decoder: <decoder name="asterisk-denied4"> <parent>asterisk</parent> <prematch>^NOTICE[\d+]: \S+ \S+: Host </prematch> <regex offset="after_prematch">^(\d+.\d+.\d+.\d+) failed MD5 authentication for '(\S+)'</regex> <order>srcip, user</order> </decoder> When I see the ossec logs the srcip and user appear empty. Why? What are I doing wrong? ** Alert 1272961312.511785: - syslog,asterisk,invalid_login, 2010 May 04 10:21:52 (dialer) 192.168.150.160->/var/log/messages Rule: 100010 (level 5) -> 'IAX peer Wrong Password.' Src IP: (none) User: (none) May 4 10:15:46 dialer asterisk[5200]: NOTICE[14797]: chan_iax2.c:5831 in register_verify: Host 192.168.20.18 failed MD5 authentication for '2345' (bc9734938727c15bf8514615a4c160c4 != 37dc5669fa08b5275339449f623b155d) Best Regards,
