Hello everybody , I'm trying to read filtered sonic wall logs on the syslog server using ossec . The following is what i attempted
1. *verified whether the existing decoder for sonic wall helps* existing decoder on the decoder.xml file <decoder name="sonicwall"> <type>firewall</type> <prematch>^id=\w+ sn=\w+ time=\S+ \S+ fw=\S+ pri=\d </prematch> <plugin_decoder>SonicWall_Decoder</plugin_decoder> </decoder> My log Feb 7 16:33:10 id=firewall sn=001AA5A9A5EC time="2013-02-07 12:23:05 UTC" fw=x.x.x.x pri=1 c=0 m=1154 msg="Application Control Detection Alert: PROTOCOLS SNMP -- public Access (UDP)" sid=748 appcat=PROTOCOLS appid=1591 n=8687321 src=x.x.x.x:1071:X3: dst=y.y.y.y:161:X2: i used ossec-logtest , it returned no decoder found 2.Tried writing my own decoder (added few strings for prematch) <decoder name="sonicwall"> <type>firewall</type> <prematch>^\w+ \d+ \S+ id=\w+ sn=\w+ time=\S+ \S+ fw=\S+ pri=\d </prematch> <plugin_decoder>SonicWall_Decoder</plugin_decoder> </decoder> This also isn't working Kindly help in building a decoder and write associated rules Thanks Shaun -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
