I don't think you'll have any luck without modifying the decoder.xml directly. If this is a normal log we can probably include a decoder in the default decoder.xml.
On Thu, Dec 22, 2011 at 11:49 PM, Alan Frisch <[email protected]> wrote: > I am trying to design an additional child decoder in local_decoder.xml for > an Asterisk log entry not covered by the built-in Asterisk Decoder: > > This is the log line I am trying to parse: > > Dec 22 00:07:55 local1 asterisk[21792]: NOTICE[30573]: chan_iax2.c:7711 in > register_verify: Host 11.22.33.44 denied access to register peer > 'testaccount' > > I added the following to my existing local_decoders.xml: > > <decoder name="asterisk-iax-peer-fail"> > <parent>asterisk</parent> > <prematch>^NOTICE[\d+]: \S+ in \S+: Host </prematch> > <regex offset="after_prematch">^(\d+.\d+.\d+.\d+) denied access to > register peer (\S+)</regex> > <order>srcip, user</order> > </decoder> > > Now the problem is that in osset-logtest it never gets caught due to a > similar Asterisk child decoder that comes with the default decoder.xml, > this is the existing one that catches it: > > <decoder name="asterisk-iax-authentication-denied"> > <parent>asterisk</parent> > <prematch>^NOTICE[\d+]: \S+ in \S+: Host </prematch> > <regex offset="after_prematch">^(\d+.\d+.\d+.\d+) failed MD5 > authentication for (\S+)</regex> > <order>srcip, user</order> > </decoder> > > ....which works on log entries similar to this one: > > Dec 22 04:19:30 local1 asterisk[21792]: NOTICE[30576]: chan_iax2.c:7764 in > register_verify: Host 99.228.252.229 failed MD5 authentication for > 'testaccount' (e434414ccd1b7e40b04454e4baf338b6 != > e9e03ea09899fbbe4c6b871424c1a176) > > I am quite new to writing decoders/rules, so I am not quite sure how to > get OSSEC to differentiate between the two. Any help is greatly > appreciated! > > > AF. > >
