Sry for the late reply. I've been trying to test and noticed that I had indeed left out a freaking "," as you suggested.
Btw, I stumbled upon a difficulty while trying to test all this on a VM: Try this test log on your lab and confirm if "action" returns a "d": Mar 6 14:43:33 172.16.1.2 %ASA-3-710003: TCP access denied by ACL from 1.1.1.1/52652 to OUTSIDE:2.2.2.2/22 It returned a "d" in my case. To fix it I went ahead and added a space in the following decoder entry for pix(RED text): <decoder name="pix-fw2"> <parent>pix</parent> <type>firewall</type> <prematch offset="after_parent">^3-710003|^7-710002|^7-710005</prematch> <regex offset="after_parent">^(\S+): (\S+) \w+ (\w+) \.+from </regex> <regex>(\S+)/(\S+) to \w+:(\S+)/(\S+)</regex> <order>id, protocol, action, srcip, srcport, dstip, dstport</order> </decoder> ======================= Aside from that I'll continue testing on my end since I seem to have another mistake somewhere.... Btw Dan, I'm testing a snorby script that works similar than ossec2mysql.pl that I'd like to give it another week's worth of testing in my prod environment before sharing it with everyone. https://groups.google.com/forum/?fromgroups=#!searchin/ossec-list/snorby/ossec-list/e6hfIQA3AWA/XJemc5kNLKgJ How should I send the changes over to you? pastebin or a simple paste here in google groups ? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
