On Fri, Oct 18, 2013 at 11:00 AM, Pranav Lal <[email protected]> wrote: > Hi all, > > I have written a custom decoder. How do I know if it is working correctly? > The ossec-logtest utility gives the following output. > > > 19:00:16 system,info,account user admin logged in from 192.168.88.254 via > ssh > > > > > **Phase 1: Completed pre-decoding. > > full event: '19:00:16 system,info,account user admin logged in from > 192.168.88.254 > via ssh' > > hostname: 'piprime' > > program_name: '(null)' > > log: '19:00:16 system,info,account user admin logged in from > 192.168.88.254 via ssh > ' > > > > **Phase 2: Completed decoding. > > decoder: 'mikrotiklogin' > > 05:18:18 system,info,account user admin logged in from 192.168.88.254 via > ssh > > > > > > > **Phase 1: Completed pre-decoding. > > full event: '05:18:18 system,info,account user admin logged in from > 192.168.88.254 > via ssh ' > > hostname: 'piprime' > > program_name: '(null)' > > log: '05:18:18 system,info,account user admin logged in from > 192.168.88.254 via ssh > ' > > > > **Phase 2: Completed decoding. > > decoder: 'mikrotiklogin' >
It didn't decode user, srcip, or extra_data; so I don't think it's working properly. With only 1 log example, it's tough to make a good one, but this one decodes all of the fields: <decoder name="mikrotiklogin"> <prematch>^\d\d:\d\d:\d\d\s\S+,\.+ user </prematch> <regex offset="after_prematch">^(\S+) logged in from (\d+.\d+.\d+.\d+) via (\S+)</regex> <order>user,srcip,extra_data</order> </decoder> > > My custom decoder is below. > <decoder name="mikrotiklogin"> > <prematch>^\d\d:\d\d:\d\d\s\w+,\w+,\w+\w\s</prematch> > <regex offset="after_prematch">user\s(\w+)\slogged in from > (\d\d\d+.\d\d\d+.\d\d+.\d\d\d)+(\s+.*)</regex> > <order>user,srcip,extra_data</order> > </decoder> > > Pranav > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
