On Thu, Sep 6, 2012 at 7:15 PM, Saul D <[email protected]> wrote: > Hi Dan, > > An example of the type of log it would be handy to be able to define a > pre-decoder for is oddly-formatted Cisco logs. > > I have log entries with the following format coming from a Cisco router: > > Aug 24 06:38:50 routerHostName 9564499: Aug 23 20:38:49.217:
What is 9564499? It's being decoded as the program_name. Add <program_name>9564499</program_name> to the decoder and it works. > %SEC-6-IPACCESSLOGP: list 120 denied tcp 1.125.236.165(0) -> > 119.225.120.9(0), 1 packet > > The problem I have with defining a custom decoder for it is that the default > syslog pre-decoder seems to "take over" as soon as my regex covers more than > the first "Aug 24 06:38:50 " part of the message. Presumably this is > because it matches the pattern of a standard syslog message? What I want to > do however, is define a prematch that extends further into the log message > to enable OSSEC to be able to understand my version of the Cisco messages. > e.g.: > > <decoder name="cisco-ios"> > <prematch>^\w+\s+\d+\s+\d\d:\d\d:\d\d\s+\S+\s+\d+: > \w+\s+\d+\\s+\d\d:\d\d:\d\d.\d\d\d: </prematch> > </decoder> > > Is there any way to get this to work? > > For now, it seems the only way to enable OSSEC to understand my Cisco logs > is by redefining every single Cisco rule, basing them on a parent rule that > matches on the second timestamp like this: > > <rule id="100023" level="0"> > <if_sid>1002</if_sid> > <regex>^\w\w\w\s+\d+\s+\d\d:\d\d:\d\d.\d\d\d: </regex> > <description>Cisco messages (custom log style) grouped.</description> > </rule> > > But this seems like more work than it should be. > > Is there a better way to decode these messages than this? Please tell me > there is! > > Thanks for your help, > > Saul > > > > > On Saturday, January 9, 2010 6:31:17 AM UTC+11, Daniel Cid wrote: >> >> Hi Abey, >> >> The pre decoders are very simple and we only use them for very common >> log formats, like >> syslog, apache, squid, etc. Look at src/analysisd/cleanevent.c to see >> how we do them.. >> >> Can you share what log you are trying to parse? Maybe a pre decoder >> isn't needed and >> you can use just the xml (way easier). >> >> Thanks, >> >> -- >> Daniel B. Cid >> dcid ( at ) ossec.net >> >> On Tue, Jan 5, 2010 at 7:33 AM, Abey <[email protected]> wrote: >> > Hi , >> > >> > I was wondering if it is possible to define custom predecoders in >> > ossec ? >> > >> > I also have decoders and rule matching working ok on syslog . but i >> > have another log file which has format different from syslog and would >> > need to do predecoding before the decoding . >> > >> > >> > Thanks >> > Abey >> >
