I was thinking it was a formatting thing, just a bad copy and paste. Glad it's working. :)
On Sat, Oct 23, 2010 at 10:31 AM, vcorreia <[email protected]> wrote: > Uau!! > > Thank you so much, it worked like a charm :) > > Pastebin really did the trick :D > > Thanks for your time, I'll be around your blog trying to learn how to > write these decoders for myself :) > > Vitor > > On Oct 23, 4:08 am, "dan (ddp)" <[email protected]> wrote: >> Here's the output for ossec-logtest for me: >> # /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf >> 2010/10/22 23:04:34 ossec-testrule: INFO: Reading local decoder file. >> 2010/10/22 23:04:34 ossec-testrule: INFO: Started (pid: 10010). >> ossec-testrule: Type one log per line. >> >> "Vitor Correia" "PT" 89.155.91.201 - - [21/Oct/2010:01:48:13 +0100] >> "GET /collect/main/ HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows; U; >> Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11" >> >> **Phase 1: Completed pre-decoding. >> full event: '"Vitor Correia" "PT" 89.155.91.201 - - >> [21/Oct/2010:01:48:13 +0100] "GET /collect/main/ HTTP/1.1" 200 2970 >> "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) >> Gecko/20101012 Firefox/3.6.11"' >> hostname: 'ix' >> program_name: '(null)' >> log: '"Vitor Correia" "PT" 89.155.91.201 - - >> [21/Oct/2010:01:48:13 +0100] "GET /collect/main/ HTTP/1.1" 200 2970 >> "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) >> Gecko/20101012 Firefox/3.6.11"' >> >> **Phase 2: Completed decoding. >> decoder: 'ssl-cert' >> srcuser: 'Vitor Correia' >> id: 'PT' >> srcip: '89.155.91.201' >> action: 'GET' >> url: '/collect/main/' >> status: '200' >> extra_data: 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; >> rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11"' >> >> Here's exactly what I have in local_decoder.xml: >> <!-- >> "Vitor Correia" "PT" 89.155.91.201 - - [21/Oct/2010:01:48:13 +0100] >> "GET /collect/main/ HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows; U; >> Windows NT 6.1; en-US; rv:1.9.2 >> .11) Gecko/20101012 Firefox/3.6.11" >> --> >> >> <decoder name="ssl-cert"> >> <prematch>^"\.+" "\S+" \S+ - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d \S+] >> </prematch> >> <regex>^"(\.+)" "(\S+)" (\S+) - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d >> \p\d+] "(\S+) (\.+) HTTP/\d.\d" (\d+) \d+ "\.+" "(\.+)</regex> >> <order>srcuser,id,srcip,action,url,status,extra_data</order> >> </decoder> >> >> I've copied the decoder to pastebin to make sure it isn't getting >> messed up in the email:http://pastebin.com/HD5rhx2F
