On Thu, Dec 13, 2012 at 2:39 PM, Seb James <[email protected]> wrote:
> Hi all,
>
> I am currently attempting to set up a custom decoder with a install of OSSEC
> on a Debian system.
>
> My log is
> "2012-12-07T18:09:20+00:00 DEBUG (7) : File Ref MAGO10000335"
>
> with a decoder of
>
> "<decoder name="magento-alert">¬
> <prematch>^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\p\d\d:\d\d</prematch>¬
> <regex offset="after_prematch">^ DEBUG \(7\) : File Ref
> MAGO(\d\d\d\d\d\d\d\d\d)</regex>¬
> <order>extra_data</order>¬
> </decoder>"
>
> I run the log line through ossec-logtest but it doesn't find a match.
>
> Now if I change the log line to
>
> "2012-12-07T18:09:20 DEBUG (7) : File Ref MAGO100003354"
>
> and the decoder to
>
> "
> <decoder name="magento-alert">¬
> <prematch>^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d</prematch>¬
> <regex offset="after_prematch">^ DEBUG \(7\) : File Ref
> MAGO(\d\d\d\d\d\d\d\d\d)</regex>¬
> <order>extra_data</order>¬
> </decoder>
> "
>
> It finds the match in the test.
>
> So this tells me that there is a problem with the "+00:00" part of the
> regexp, but I checked here for the correct way to match a "+".
>
> Can anybody help me please?
>
> Thanks
# cat /tmp/h | /var/ossec/bin/ossec-logtest
2012/12/13 14:47:47 ossec-testrule: INFO: Reading local decoder file.
2012/12/13 14:47:47 ossec-testrule: INFO: Started (pid: 21899).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '2012-12-07T18:09:20+00:00 DEBUG (7) : File Ref MAGO10000335'
hostname: 'DEBUG'
program_name: '(null)'
log: '(7) : File Ref MAGO10000335'
**Phase 2: Completed decoding.
No decoder matched.
####################
<decoder name="stuff">
<prematch>^\(7\) : </prematch>
<regex offset="after_prematch">^File Ref MAGO(d+)$</regex>
<order>extra_data</order>
</decoder>
####################
# cat /tmp/h | /var/ossec/bin/ossec-logtest
2012/12/13 14:49:59 ossec-testrule: INFO: Reading local decoder file.
2012/12/13 14:49:59 ossec-testrule: INFO: Started (pid: 22271).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '2012-12-07T18:09:20+00:00 DEBUG (7) : File Ref MAGO10000335'
hostname: 'DEBUG'
program_name: '(null)'
log: '(7) : File Ref MAGO10000335'
**Phase 2: Completed decoding.
decoder: 'stuff'
#########################
Oops:
<decoder name="stuff">
<prematch>^\(7\) : </prematch>
<regex offset="after_prematch">^File Ref MAGO(\d+)$</regex>
<order>extra_data</order>
</decoder>
###########################
# cat /tmp/h | /var/ossec/bin/ossec-logtest
2012/12/13 14:51:24 ossec-testrule: INFO: Reading local decoder file.
2012/12/13 14:51:24 ossec-testrule: INFO: Started (pid: 28796).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '2012-12-07T18:09:20+00:00 DEBUG (7) : File Ref MAGO10000335'
hostname: 'DEBUG'
program_name: '(null)'
log: '(7) : File Ref MAGO10000335'
**Phase 2: Completed decoding.
decoder: 'stuff'
extra_data: '10000335'
