The OSSEC allowed fields are listed at the beginning of the file etc/decoder.xml. In your case, 'dstport' is correct. For the extra fields in the raw log which you want to skip (ipproto= ipdatalen= ...), you need to count them out using <regex> like the following:
<decoder name="clavister"> <prematch>^[\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d] EFW: RULE: </prematch> </decoder> <decoder name="clavister-alert"> <parent>clavister</parent> <regex offset="after_parent">\.+ action=(\w+) rule=\w+ recvif=\w+ srcip=(\d+.\d+.\d+.\d+) destip=(\d+.\d+.\d+.\d+) ipproto=\w+ ipdatalen=\d+ srcport=(\d+) destport=(\d+) (\.*)</regex> <order>action,srcip,dstip,srcport,dstport,extra_data</order> </decoder> On Wednesday, November 14, 2012 6:49:10 AM UTC-8, Michiel van Es wrote: > > Hello, > > I am trying to set up a local_decoder.xml entry to decode our Clavister > log entries. > The clavister logfiles show only outgoing dropped traffic, for example: > > Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] EFW: RULE: prio=6 > id=06000051 rev=1 event=ruleset_drop_packet action=drop > rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14 > destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511 > ack=1 fin=1 > > I could not find an existing clavister decoder so I am trying to write my > own. > I tried something as follows : > > <decoder name="clavister"> > <prematch>^\w+ \d+ \S+ </prematch> > </decoder> > > If I get it correct the ^ is beginning of the line,\w+ = Month, \d+ = day > of month, \S+=time , but its not working as expected, running logtest shows: > > **Phase 1: Completed pre-decoding. > full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] EFW: > RULE: prio=6 id=06000051 rev=1 event=ruleset_drop_packet action=drop > rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14 > destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511 > ack=1 fin=1' > hostname: '10.170.80.3' > program_name: '(null)' > log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=06000051 rev=1 > event=ruleset_drop_packet action=drop rule=d_all_any_to_external > recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP > ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1' > > **Phase 2: Completed decoding. > No decoder matched. > > It does not show the clavister field at Phase 2 which I would expect. > > Can anyone point out what I am doing wrong even with this simpel > <prematch> example? > > Thanks in advance. > > Regards, > > Michiel >
