On Wed, Feb 29, 2012 at 12:40 PM, C. L. Martinez <[email protected]> wrote: >>>> I am trying to write this decoder, without luck. My sample log: >>>> >>>> "Number" "Date" "Time" "Interface" "Origin" "Type" "Action" "Service" >>>> "Source Port" "Source" "Destination" "Protocol" "Rule" "Rule Name" >>>> "Current Rule Number" "User" "Information" "Product" "Source Machine >>>> Name" "Source User Name" >>>> "2" "26Feb2012" "23:58:58" "Lan2" "CHCKPNT1" "Log" "Accept" "https" >>>> "1638" "192.168.55.23" "10.45.23.11" "tcp" "52" "WK01" "52-Standard" >>>> "" "service_id: https" "VPN-1 Power/UTM" "" "" >>>> >>>> My first try: >>>> >>>> <decoder name="custom-checkpoint"> >>>> <program_name>^CHCKPNT1</program_name> >>> >>> Is that what ossec-logtest says the program_name is? >>> >> >> Nop, Another mistake of mine. ... program_name doesn't exists in my >> logs. I need to filter by firewall name, CHKPNT1 and after by >> action,port,srcip,dstip .... > > Ok, now it seems pre-decoder works: > > <decoder name="custom-checkpoint"> > <prematch>^"\d" "\w+" "(\d\d:\d\d:\d\d)" "\w+" "CHCKPNT1"</prematch> > </decoder> > > is it correct?? > > But exists one problem, with some logs like this: > > "20" "26Feb2012" "23:58:59" "bond0.30" "CHCKPNT1" "Log" "Accept" > "domain-udp" "61347" "srv01" "srvdns" "udp" "82" "" "82-Standard" "" > "inzone: Internal; outzone: Internal; service_id: domain-udp" "VPN-1 > Power/UTM" "" "" > > ... doesn't works ...
Any help please??
