Hello!
I ca't seem to get ossec to process my shorewall logs stored by ULOG. Logs
look like normal syslog. But no decoder can identify them.
Here is an example:
Jul 8 20:09:47 morrey Shorewall:vps2net:DROP: IN=br0 OUT=eth0
MAC=16:6c:fc:92:f6:2d:00:16:2e:31:8b:83:08:00 SRC=192.168.15.5
DST=223.121.249.32 LEN=84 TOS=00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8
CODE=0 ID=3192 SEQ=3
And the output of ossec-logtest:
**Phase 1: Completed pre-decoding.
full event: 'Jul 8 20:09:47 morrey Shorewall:vps2net:DROP: IN=br0
OUT=eth0 MAC=16:6c:fc:92:f6:2d:00:16:2e:31:8b:83:08:00 SRC=192.168.15.5
DST=223.121.249.32 LEN=84 TOS=00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8
CODE=0 ID=3192 SEQ=3'
hostname: 'morrey'
program_name: '(null)'
log: 'Shorewall:vps2net:DROP: IN=br0 OUT=eth0
MAC=16:6c:fc:92:f6:2d:00:16:2e:31:8b:83:08:00 SRC=192.168.15.5
DST=223.121.249.32 LEN=84 TOS=00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8
CODE=0 ID=3192 SEQ=3'
**Phase 2: Completed decoding.
No decoder matched.
Tried to create a few different local decoders but all of them fail.
Could you please point to right direction? Need to stop banging my head
already :)
Best regards,
Vasilito
