Thanks a lot! worked like a charm.
09.07.2012 16:07, dan (ddp) пишет:
Double check everything, I only spent about 5 minutes on it.
<decoder name="shorewall-new">
<prematch>^Shorewall:</prematch>
<regex offset="after_prematch">\S+:(\S+): IN=(\S+) OUT=(\S+) MAC=\S+
SRC=(\S+) DST=(\S+) LEN=\d+ TOS=\S+ PREC=\S+ TTL=\d+ ID=\d+ \S+
PROTO=(\S+)</regex>
<order>action,extra_data,extra_data,srcip,dstip,protocol</order>
</decoder>
On Sun, Jul 8, 2012 at 4:21 PM, Vasilito <[email protected]> wrote:
Hello!
I ca't seem to get ossec to process my shorewall logs stored by ULOG. Logs
look like normal syslog. But no decoder can identify them.
Here is an example:
Jul 8 20:09:47 morrey Shorewall:vps2net:DROP: IN=br0 OUT=eth0
MAC=16:6c:fc:92:f6:2d:00:16:2e:31:8b:83:08:00 SRC=192.168.15.5
DST=223.121.249.32 LEN=84 TOS=00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8
CODE=0 ID=3192 SEQ=3
And the output of ossec-logtest:
**Phase 1: Completed pre-decoding.
full event: 'Jul 8 20:09:47 morrey Shorewall:vps2net:DROP: IN=br0
OUT=eth0 MAC=16:6c:fc:92:f6:2d:00:16:2e:31:8b:83:08:00 SRC=192.168.15.5
DST=223.121.249.32 LEN=84 TOS=00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8
CODE=0 ID=3192 SEQ=3'
hostname: 'morrey'
program_name: '(null)'
log: 'Shorewall:vps2net:DROP: IN=br0 OUT=eth0
MAC=16:6c:fc:92:f6:2d:00:16:2e:31:8b:83:08:00 SRC=192.168.15.5
DST=223.121.249.32 LEN=84 TOS=00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8
CODE=0 ID=3192 SEQ=3'
**Phase 2: Completed decoding.
No decoder matched.
Tried to create a few different local decoders but all of them fail.
Could you please point to right direction? Need to stop banging my head
already :)
Best regards,
Vasilito
