[ossec-list] Decoder question on Syntax

[Jared]

 

I have the following log entry ( and the "[" was not my idea):

18-Sep-2013 13:16:20.054 CONFIG [Thread-17] 
[Bob][Marley][tokenString].[worker] 
[success=true][ms=172][token=SomeCMD][maxFetchRows=555][paramCount=999][sqlText=SOMESTATEMENT...][sqlCommand=SOMESTATEMENT][rowsFetched=888]

I have the following Decoder:

<decoder name="D2C-CONFIG">
  <prematch>^\d\d-\w\w\w-\d\d\d\d \d\d:\d\d:\d\d.\d\d\d CONFIG</prematch>
</decoder>

<decoder name="D2C-FetchRows">
  <parent>D2C-CONFIG</parent>
  <regex offset="after_parent"> [(\S+)] [(\S+)][(\S+)][(\S+)].[(\S+)] 
[success=(\S+)][ms=(\S+)][token=\S+][maxFetchRows=\S+][paramCount=\S+][sqlText=\S+][sqlCommand=\S+][rowsFetched=(\S+)]</regex>
  
<order>extra_data,user,extra_data,extra_data,extra_data,extra_data,extra_data,extra_data,extra_data,extra_data</order>
</decoder>

Which elicits the following results. 


ossec-testrule: Type one log per line.

18-Sep-2013 13:16:20.054 CONFIG [Thread-17] 
[Bob][Marley][tokenString].[worker] 
[success=true][ms=172][token=SomeCMD][maxFetchRows=555][paramCount=999][sqlText=SOMESTATEMENT...][sqlCommand=SOMESTATEMENT][rowsFetched=888]


**Phase 1: Completed pre-decoding.
       full event: '18-Sep-2013 13:16:20.054 CONFIG [Thread-17] 
[Bob][Marley][tokenString].[worker] 
[success=true][ms=172][token=SomeCMD][maxFetchRows=555][paramCount=999][sqlText=SOMESTATEMENT...][sqlCommand=SOMESTATEMENT][rowsFetched=888]'
       hostname: 'ip-257-999-816-615'
       program_name: '(null)'
       log: '18-Sep-2013 13:16:20.054 CONFIG [Thread-17] 
[Bob][Marley][tokenString].[worker] 
[success=true][ms=172][token=SomeCMD][maxFetchRows=555][paramCount=999][sqlText=SOMESTATEMENT...][sqlCommand=SOMESTATEMENT][rowsFetched=888]'

**Phase 2: Completed decoding.
       decoder: 'D2C-CONFIG'
       extra_data: 'Thread-17'
       dstuser: 'Bob'
       extra_data: 'Marley'
       extra_data: 'tokenString'
       extra_data: 'worker'
       extra_data: 'true'
       extra_data: '172'
       extra_data: 'rowsFetched=888]'

Questions:
1. Why does this decode as D2C-CONFIG as opposed to "D2C-FetchRows".
2. The last line of the Phase 2 { extra_data: 'rowsFetched=888]'  } why is 
the closing bracket showing up there but not other places, and how do I get 
rid of it?
3. Is there a syntax that would extract 'Bob Marley'  from [Bob][Marley] in 
the original message? I have tried several iterations and always end up 
with the brackets.

Thank you, 


Jared

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.