Your SonicWall log "time="2013-02-07 12:23:05 UTC" contains three words for the time stamp (extra "UTC" at the end), but the decoder "time=\S+ \S+". matches two words only
Try changing it to "time=\S+ \S+ \S+" On Saturday, February 9, 2013 11:01:07 PM UTC-8, Shaun wrote: > > Hello everybody , > > I'm trying to read filtered sonic wall logs on the syslog server using > ossec . > The following is what i attempted > > 1. *verified whether the existing decoder for sonic wall helps* > > existing decoder on the decoder.xml file > > <decoder name="sonicwall"> > <type>firewall</type> > <prematch>^id=\w+ sn=\w+ time=\S+ \S+ fw=\S+ pri=\d </prematch> > <plugin_decoder>SonicWall_Decoder</plugin_decoder> > </decoder> > > > My log > > Feb 7 16:33:10 id=firewall sn=001AA5A9A5EC time="2013-02-07 12:23:05 UTC" > fw=x.x.x.x pri=1 c=0 m=1154 msg="Application Control Detection Alert: > PROTOCOLS SNMP -- public Access (UDP)" sid=748 appcat=PROTOCOLS > appid=1591 n=8687321 src=x.x.x.x:1071:X3: dst=y.y.y.y:161:X2: > > i used ossec-logtest , it returned no decoder found > > 2.Tried writing my own decoder > (added few strings for prematch) > > > <decoder name="sonicwall"> > <type>firewall</type> > <prematch>^\w+ \d+ \S+ id=\w+ sn=\w+ time=\S+ \S+ fw=\S+ pri=\d </prematch> > <plugin_decoder>SonicWall_Decoder</plugin_decoder> > </decoder> > > This also isn't working > > > Kindly help in building a decoder and write associated rules > > Thanks > Shaun > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
