I think this output is very identical what you get from mikrotik routerboards. This tool can help you understand how regex works so you can write your own deocders: http://gskinner.com/RegExr/
Expr: Shorewall:\w+:DROP: IN=br0 OUT=eth0 MAC=\w+:\w+:\w+:\w+:\w+:\w+: \w+:\w+:\w+:\w+:\w+:\w+:\w+:\w+\s\sSRC=\d+.\d+.\d+.\d+.DST=\d+.\d+.\d+. \d+. Log: Shorewall:vps2net:DROP: IN=br0 OUT=eth0 MAC=16:6c:fc:92:f6:2d: 00:16:2e:31:8b:83:08:00 SRC=192.168.15.5 DST=223.121.249.32 LEN=84 TOS=00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=3192 SEQ=3 another example (syslog): http://www.ossec.net/doc/manual/rules-decoders/create-custom.html bg dejan On Jul 8, 10:21 pm, Vasilito <[email protected]> wrote: > Hello! > > I ca't seem to get ossec to process my shorewall logs stored by ULOG. Logs > look like normal syslog. But no decoder can identify them. > > Here is an example: > > Jul 8 20:09:47 morrey Shorewall:vps2net:DROP: IN=br0 OUT=eth0 > MAC=16:6c:fc:92:f6:2d:00:16:2e:31:8b:83:08:00 SRC=192.168.15.5 > DST=223.121.249.32 LEN=84 TOS=00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 > CODE=0 ID=3192 SEQ=3 > > And the output of ossec-logtest: > > **Phase 1: Completed pre-decoding. > full event: 'Jul 8 20:09:47 morrey Shorewall:vps2net:DROP: IN=br0 > OUT=eth0 MAC=16:6c:fc:92:f6:2d:00:16:2e:31:8b:83:08:00 SRC=192.168.15.5 > DST=223.121.249.32 LEN=84 TOS=00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 > CODE=0 ID=3192 SEQ=3' > hostname: 'morrey' > program_name: '(null)' > log: 'Shorewall:vps2net:DROP: IN=br0 OUT=eth0 > MAC=16:6c:fc:92:f6:2d:00:16:2e:31:8b:83:08:00 SRC=192.168.15.5 > DST=223.121.249.32 LEN=84 TOS=00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 > CODE=0 ID=3192 SEQ=3' > > **Phase 2: Completed decoding. > No decoder matched. > > Tried to create a few different local decoders but all of them fail. > > Could you please point to right direction? Need to stop banging my head > already :) > > Best regards, > Vasilito
