>>> I am trying to write this decoder, without luck. My sample log: >>> >>> "Number" "Date" "Time" "Interface" "Origin" "Type" "Action" "Service" >>> "Source Port" "Source" "Destination" "Protocol" "Rule" "Rule Name" >>> "Current Rule Number" "User" "Information" "Product" "Source Machine >>> Name" "Source User Name" >>> "2" "26Feb2012" "23:58:58" "Lan2" "CHCKPNT1" "Log" "Accept" "https" >>> "1638" "192.168.55.23" "10.45.23.11" "tcp" "52" "WK01" "52-Standard" >>> "" "service_id: https" "VPN-1 Power/UTM" "" "" >>> >>> My first try: >>> >>> <decoder name="custom-checkpoint"> >>> <program_name>^CHCKPNT1</program_name> >> >> Is that what ossec-logtest says the program_name is? >> > > Nop, Another mistake of mine. ... program_name doesn't exists in my > logs. I need to filter by firewall name, CHKPNT1 and after by > action,port,srcip,dstip ....
Ok, now it seems pre-decoder works: <decoder name="custom-checkpoint"> <prematch>^"\d" "\w+" "(\d\d:\d\d:\d\d)" "\w+" "CHCKPNT1"</prematch> </decoder> is it correct?? But exists one problem, with some logs like this: "20" "26Feb2012" "23:58:59" "bond0.30" "CHCKPNT1" "Log" "Accept" "domain-udp" "61347" "srv01" "srvdns" "udp" "82" "" "82-Standard" "" "inzone: Internal; outzone: Internal; service_id: domain-udp" "VPN-1 Power/UTM" "" "" ... doesn't works ...
