Hello everyone,
I am having trouble to extract *username* from this samba error log:
*Sep 3 14:42:51 sauron smbd[12606]: canonicalize_connect_path failed for
service sorigel, path /home/SCYTL_INT/sorigel*
I just want to extract user sorigel, so I could create some active-response
script in the short run :) However I am not able to create a new decoder from
smbd parent decoder:
My child decoder:
*<decoder name="smbd-home">
<parent>smbd</parent>
<prematch offset="after_parent">^\S+canonicalize_connect_path failed
</prematch>
<regex offset="after_prematch">^for service (\w+),</regex>
<order>user</order>
</decoder>*
Below logtest output, where no *username* is extracted and no child samba
decoder executed....
[root@gandalf ossec]# bin/ossec-logtest
2013/09/04 17:38:39 ossec-testrule: INFO: Reading local decoder file.
2013/09/04 17:38:39 ossec-testrule: INFO: Reading the lists file:
'list/suspicious-dns.lst'
2013/09/04 17:38:39 ossec-testrule: INFO: Started (pid: 11699).
ossec-testrule: Type one log per line.
Sep 3 14:42:51 sauron smbd[12606]: canonicalize_connect_path failed for
service sorigel, path /home/SCYTL_INT/sorigel
**Phase 1: Completed pre-decoding.
full event: 'Sep 3 14:42:51 sauron smbd[12606]:
canonicalize_connect_path failed for service sorigel, path
/home/SCYTL_INT/sorigel'
hostname: 'sauron'
program_name: 'smbd'
log: ' canonicalize_connect_path failed for service sorigel, path
/home/SCYTL_INT/sorigel'
**Phase 2: Completed decoding.
decoder: 'smbd'
Any help will be much appreciated
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
