On Thu, Mar 1, 2012 at 3:02 PM, Viktor Gazdag <[email protected]> wrote: > Hi! > > Here is the new decoder! This log file record is a little bit different, > that's why it didn't work. But with my new decoder, it works well with both > record! ;) > I write you a quick & basic ossec decoder tutorial! If something isn't good, > I hope ddp will correct me! > First we have to give a name to our decoder and it has to be between the > decoder tags: <decoder name="custom_checkpoint"> </decoder>. So that's the > 1. and 5. rows. > It is a good idea to use prematch and regex offset="after_prematch" (2. and > 3. rows), which will do the following: ossec examine the log, if it contains > the value in the prematch tag (2. row). If it contains and if only it > contains, then will "run" the regex (3. row). > If we want to decode and log data like source ip (srcip) then we have to put > it in the parenthesis (3. row). > The <order></order> tags (4. row) tell the ossec the sequence of the decoded > data. Which data is the source ip, and which is the protocol etc. > OK, now some regex! > Here you can learn what is the syntax of regex in ossec: > http://www.ossec.net/wiki/Know_How:Regex_Readme > Examples: \w -> A-Z, a-z, 0-9 characters. > \s -> For spaces " " > \S -> For anything not \s > + -> To match one or more times (eg \w+ or \d+). > > And after the lot of writing here is my decoder! :) The difference is I use > \S+ instead of \w+, because of the dstip contains dots. > > <decoder name="custom_checkpoint"> > <prematch>"\d+" "\d+\w+\d+" "\d+:\d+:\d+" "(\S+)" "CHCKPNT1"</prematch> > <regex offset="after_prematch">"\w+" "(\w+)" "\S+" "(\d+)" "(\S+)" "(\S+)" > "(\w+)"</regex> > <order>action, srcport, srcip, dstip, protocol</order> > </decoder> > > "13" "26Feb2012" "23:58:59" "bond0.405" "CHCKPNT1" "Log" "Accept" "http" > "3336" "wrk01" "192.168.209.167" "tcp" "53" "" > "53-Standard" "" "service_id: http" "VPN-1 Power/UTM" "" ""^M' > > **Phase 2: Completed decoding. > decoder: 'custom_checkpoint' > action: 'Accept' > srcport: '3336' > srcip: 'wrk01' > dstip: '192.168.209.167' > proto: 'tcp' > > "20" "26Feb2012" "23:58:59" "bond0.30" "CHCKPNT1" "Log" "Accept" > "domain-udp" "61347" "srv01" "srvdns" "udp" "82" "" "82-Standard" "" > "inzone: Internal; outzone: Internal; service_id: domain-udp" "VPN-1 > Power/UTM" "" "" > > **Phase 2: Completed decoding. > decoder: 'custom_checkpoint' > action: 'Accept' > srcport: '61347' > srcip: 'srv01' > dstip: 'srvdns' > proto: 'udp' > > Best regards > woodspeed
Many thanks Viktor. I have do it some adjustments to the decoder and now all works ok.
