On Wed, Feb 29, 2012 at 5:05 AM, C. L. Martinez <[email protected]> wrote: > On Tue, Feb 28, 2012 at 3:27 PM, C. L. Martinez <[email protected]> wrote: >> Hi all, >> >> I am wrong, or do not exists rules and decoder to process CheckPoint >> Firewall-1 logs?? >> >> Thanks. > > Oops ... Sorry, my mistake. I see it. But I need to parse CHKP logs > from an export log and not from syslog ... If I am not wrong, I need > to write a new decoder and after that some rules. > > I am trying to write this decoder, without luck. My sample log: > > "Number" "Date" "Time" "Interface" "Origin" "Type" "Action" "Service" > "Source Port" "Source" "Destination" "Protocol" "Rule" "Rule Name" > "Current Rule Number" "User" "Information" "Product" "Source Machine > Name" "Source User Name" > "2" "26Feb2012" "23:58:58" "Lan2" "CHCKPNT1" "Log" "Accept" "https" > "1638" "192.168.55.23" "10.45.23.11" "tcp" "52" "WK01" "52-Standard" > "" "service_id: https" "VPN-1 Power/UTM" "" "" > > My first try: > > <decoder name="custom-checkpoint"> > <program_name>^CHCKPNT1</program_name>
Is that what ossec-logtest says the program_name is? > <prematch>^\s+ "\d\d\Ddd\dddd" "\d\d:\d\d:\d\d" </prematch> > </decoder> > > Any idea??
