On Thu, Sep 5, 2013 at 3:37 AM, ZaNN <[email protected]> wrote: > Thank you Dan, that did the trick. > > However I cannot see what was the problem, sure it is something related to > regexp.... >
If you want to find out, start by removing the regex from the prematch. I don't know if that's valid syntax for prematch or not. Next get rid of the \w. I've never liked it, and I think it feels the same way about me. > Cheers > > > El miércoles, 4 de septiembre de 2013 18:13:49 UTC+2, dan (ddpbsd) escribió: >> >> On Wed, Sep 4, 2013 at 11:48 AM, ZaNN <[email protected]> wrote: >> > Hello everyone, >> > >> > I am having trouble to extract username from this samba error log: >> > >> > Sep 3 14:42:51 sauron smbd[12606]: canonicalize_connect_path failed >> > for >> > service sorigel, path /home/SCYTL_INT/sorigel >> > >> > >> > I just want to extract user sorigel, so I could create some >> > active-response >> > script in the short run :) However I am not able to create a new decoder >> > from smbd parent decoder: >> > >> > My child decoder: >> > >> > <decoder name="smbd-home"> >> > <parent>smbd</parent> >> > <prematch offset="after_parent">^\S+canonicalize_connect_path failed >> > </prematch> >> > <regex offset="after_prematch">^for service (\w+),</regex> >> > <order>user</order> >> > </decoder> >> > >> > Below logtest output, where no username is extracted and no child samba >> > decoder executed.... >> > >> > [root@gandalf ossec]# bin/ossec-logtest >> > 2013/09/04 17:38:39 ossec-testrule: INFO: Reading local decoder file. >> > 2013/09/04 17:38:39 ossec-testrule: INFO: Reading the lists file: >> > 'list/suspicious-dns.lst' >> > 2013/09/04 17:38:39 ossec-testrule: INFO: Started (pid: 11699). >> > ossec-testrule: Type one log per line. >> > >> > Sep 3 14:42:51 sauron smbd[12606]: canonicalize_connect_path failed >> > for >> > service sorigel, path /home/SCYTL_INT/sorigel >> > >> > **Phase 1: Completed pre-decoding. >> > full event: 'Sep 3 14:42:51 sauron smbd[12606]: >> > canonicalize_connect_path failed for service sorigel, path >> > /home/SCYTL_INT/sorigel' >> > hostname: 'sauron' >> > program_name: 'smbd' >> > log: ' canonicalize_connect_path failed for service sorigel, >> > path >> > /home/SCYTL_INT/sorigel' >> > >> > **Phase 2: Completed decoding. >> > decoder: 'smbd' >> > >> > Any help will be much appreciated >> > >> >> <decoder name="smbd-user"> >> <parent>smbd</parent> >> <regex offset="after_parent"> for service (\S+), path (\S+)$</regex> >> <order>user,extra_data</order> >> </decoder> >> >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
