El miércoles, 4 de septiembre de 2013 18:13:49 UTC+2, dan (ddpbsd) escribió: > > On Wed, Sep 4, 2013 at 11:48 AM, ZaNN <[email protected] <javascript:>> > wrote: > > Hello everyone, > > > > I am having trouble to extract username from this samba error log: > > > > Sep 3 14:42:51 sauron smbd[12606]: canonicalize_connect_path failed > for > > service sorigel, path /home/SCYTL_INT/sorigel > > > > > > I just want to extract user sorigel, so I could create some > active-response > > script in the short run :) However I am not able to create a new decoder > > from smbd parent decoder: > > > > My child decoder: > > > > <decoder name="smbd-home"> > > <parent>smbd</parent> > > <prematch offset="after_parent">^\S+canonicalize_connect_path failed > > </prematch> > > <regex offset="after_prematch">^for service (\w+),</regex> > > <order>user</order> > > </decoder> > > > > Below logtest output, where no username is extracted and no child samba > > decoder executed.... > > > > [root@gandalf ossec]# bin/ossec-logtest > > 2013/09/04 17:38:39 ossec-testrule: INFO: Reading local decoder file. > > 2013/09/04 17:38:39 ossec-testrule: INFO: Reading the lists file: > > 'list/suspicious-dns.lst' > > 2013/09/04 17:38:39 ossec-testrule: INFO: Started (pid: 11699). > > ossec-testrule: Type one log per line. > > > > Sep 3 14:42:51 sauron smbd[12606]: canonicalize_connect_path failed > for > > service sorigel, path /home/SCYTL_INT/sorigel > > > > **Phase 1: Completed pre-decoding. > > full event: 'Sep 3 14:42:51 sauron smbd[12606]: > > canonicalize_connect_path failed for service sorigel, path > > /home/SCYTL_INT/sorigel' > > hostname: 'sauron' > > program_name: 'smbd' > > log: ' canonicalize_connect_path failed for service sorigel, > path > > /home/SCYTL_INT/sorigel' > > > > **Phase 2: Completed decoding. > > decoder: 'smbd' > > > > Any help will be much appreciated > > > > <decoder name="smbd-user"> > <parent>smbd</parent> > <regex offset="after_parent"> for service (\S+), path (\S+)$</regex> > <order>user,extra_data</order> > </decoder> > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
