Hi all,
I have written a custom decoder. How do I know if it is working correctly?
The ossec-logtest utility gives the following output.
19:00:16 system,info,account user admin logged in from 192.168.88.254 via
ssh
**Phase 1: Completed pre-decoding.
full event: '19:00:16 system,info,account user admin logged in from
192.168.88.254
via ssh'
hostname: 'piprime'
program_name: '(null)'
log: '19:00:16 system,info,account user admin logged in from
192.168.88.254 via ssh
'
**Phase 2: Completed decoding.
decoder: 'mikrotiklogin'
05:18:18 system,info,account user admin logged in from 192.168.88.254 via
ssh
**Phase 1: Completed pre-decoding.
full event: '05:18:18 system,info,account user admin logged in from
192.168.88.254
via ssh '
hostname: 'piprime'
program_name: '(null)'
log: '05:18:18 system,info,account user admin logged in from
192.168.88.254 via ssh
'
**Phase 2: Completed decoding.
decoder: 'mikrotiklogin'
My custom decoder is below.
<decoder name="mikrotiklogin">
<prematch>^\d\d:\d\d:\d\d\s\w+,\w+,\w+\w\s</prematch>
<regex offset="after_prematch">user\s(\w+)\slogged in from
(\d\d\d+.\d\d\d+.\d\d+.\d\d\d)+(\s+.*)</regex>
<order>user,srcip,extra_data</order>
</decoder>
Pranav
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
