On Wed, Sep 4, 2013 at 11:48 AM, ZaNN <[email protected]> wrote: > Hello everyone, > > I am having trouble to extract username from this samba error log: > > Sep 3 14:42:51 sauron smbd[12606]: canonicalize_connect_path failed for > service sorigel, path /home/SCYTL_INT/sorigel > > > I just want to extract user sorigel, so I could create some active-response > script in the short run :) However I am not able to create a new decoder > from smbd parent decoder: > > My child decoder: > > <decoder name="smbd-home"> > <parent>smbd</parent> > <prematch offset="after_parent">^\S+canonicalize_connect_path failed > </prematch> > <regex offset="after_prematch">^for service (\w+),</regex> > <order>user</order> > </decoder> > > Below logtest output, where no username is extracted and no child samba > decoder executed.... > > [root@gandalf ossec]# bin/ossec-logtest > 2013/09/04 17:38:39 ossec-testrule: INFO: Reading local decoder file. > 2013/09/04 17:38:39 ossec-testrule: INFO: Reading the lists file: > 'list/suspicious-dns.lst' > 2013/09/04 17:38:39 ossec-testrule: INFO: Started (pid: 11699). > ossec-testrule: Type one log per line. > > Sep 3 14:42:51 sauron smbd[12606]: canonicalize_connect_path failed for > service sorigel, path /home/SCYTL_INT/sorigel > > **Phase 1: Completed pre-decoding. > full event: 'Sep 3 14:42:51 sauron smbd[12606]: > canonicalize_connect_path failed for service sorigel, path > /home/SCYTL_INT/sorigel' > hostname: 'sauron' > program_name: 'smbd' > log: ' canonicalize_connect_path failed for service sorigel, path > /home/SCYTL_INT/sorigel' > > **Phase 2: Completed decoding. > decoder: 'smbd' > > Any help will be much appreciated >
<decoder name="smbd-user"> <parent>smbd</parent> <regex offset="after_parent"> for service (\S+), path (\S+)$</regex> <order>user,extra_data</order> </decoder> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
