I am trying to design an additional child decoder in local_decoder.xml for an Asterisk log entry not covered by the built-in Asterisk Decoder:
This is the log line I am trying to parse: Dec 22 00:07:55 local1 asterisk[21792]: NOTICE[30573]: chan_iax2.c:7711 in register_verify: Host 11.22.33.44 denied access to register peer 'testaccount' I added the following to my existing local_decoders.xml: <decoder name="asterisk-iax-peer-fail"> <parent>asterisk</parent> <prematch>^NOTICE[\d+]: \S+ in \S+: Host </prematch> <regex offset="after_prematch">^(\d+.\d+.\d+.\d+) denied access to register peer (\S+)</regex> <order>srcip, user</order> </decoder> Now the problem is that in osset-logtest it never gets caught due to a similar Asterisk child decoder that comes with the default decoder.xml, this is the existing one that catches it: <decoder name="asterisk-iax-authentication-denied"> <parent>asterisk</parent> <prematch>^NOTICE[\d+]: \S+ in \S+: Host </prematch> <regex offset="after_prematch">^(\d+.\d+.\d+.\d+) failed MD5 authentication for (\S+)</regex> <order>srcip, user</order> </decoder> ....which works on log entries similar to this one: Dec 22 04:19:30 local1 asterisk[21792]: NOTICE[30576]: chan_iax2.c:7764 in register_verify: Host 99.228.252.229 failed MD5 authentication for 'testaccount' (e434414ccd1b7e40b04454e4baf338b6 != e9e03ea09899fbbe4c6b871424c1a176) I am quite new to writing decoders/rules, so I am not quite sure how to get OSSEC to differentiate between the two. Any help is greatly appreciated! AF.
