On Sun, Oct 20, 2013 at 8:12 PM, Pranav Lal <[email protected]> wrote:
> Hi Dan,
>
> Many thanks for your revised decoder. Mikrotik logs in the BSD syslog format
> defined by RFC 3164 (http://tools.ietf.org/html/rfc3164). I can send you
> plenty of logs from the router. When I run the ossec-logtest utility, I get
> the following.
> 2013/10/21 00:03:15 ossec-testrule: INFO: Reading local decoder file.
>
> 2013/10/21 00:03:16 ossec-testrule: INFO: Started (pid: 4719).
>
> ossec-testrule: Type one log per line.
>
>
>
> 05:18:18 system,info,account user admin logged in from 192.168.88.254 via
> ssh
>
>
>
>
>
>
> **Phase 1: Completed pre-decoding.
>
> full event: '05:18:18 system,info,account user admin logged in from
> 192.168.88.254
> via ssh '
>
> hostname: 'piprime'
>
> program_name: '(null)'
>
> log: '05:18:18 system,info,account user admin logged in from
> 192.168.88.254 via ssh
> '
>
>
>
> **Phase 2: Completed decoding.
>
> decoder: 'mikrotiklogin'
>
You've done something wrong then. This is what I get:
# cat /tmp/xxx | /var/ossec-server/bin/ossec-logtest
2013/10/20 20:20:32 ossec-testrule: INFO: Reading local decoder file.
2013/10/20 20:20:32 ossec-testrule: INFO: Started (pid: 22965).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '05:18:18 system,info,account user admin logged in
from 192.168.88.254 via ssh'
hostname: 'ix'
program_name: '(null)'
log: '05:18:18 system,info,account user admin logged in from
192.168.88.254 via ssh'
**Phase 2: Completed decoding.
decoder: 'mikrotiklogin'
dstuser: 'admin'
srcip: '192.168.88.254'
extra_data: 'ssh'
> 19:00:16 system,info,account user admin logged in from 192.168.88.254 via
> ssh
>
>
>
>
> **Phase 1: Completed pre-decoding.
>
> full event: '19:00:16 system,info,account user admin logged in from
> 192.168.88.254
> via ssh'
>
> hostname: 'piprime'
>
> program_name: '(null)'
>
> log: '19:00:16 system,info,account user admin logged in from
> 192.168.88.254 via ssh
> '
>
>
>
> **Phase 2: Completed decoding.
>
> decoder: 'mikrotiklogin'
>
>
> Pranav
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On
> Behalf Of dan (ddp)
> Sent: Sunday, October 20, 2013 11:10 PM
> To: [email protected]
> Subject: Re: [ossec-list] Checking if my custom decoder is working correctly
>
> On Fri, Oct 18, 2013 at 11:00 AM, Pranav Lal <[email protected]> wrote:
>> Hi all,
>>
>> I have written a custom decoder. How do I know if it is working correctly?
>> The ossec-logtest utility gives the following output.
>>
>>
>> 19:00:16 system,info,account user admin logged in from 192.168.88.254 via
>> ssh
>>
>>
>>
>>
>> **Phase 1: Completed pre-decoding.
>>
>> full event: '19:00:16 system,info,account user admin logged in from
>> 192.168.88.254
>> via ssh'
>>
>> hostname: 'piprime'
>>
>> program_name: '(null)'
>>
>> log: '19:00:16 system,info,account user admin logged in from
>> 192.168.88.254 via ssh
>> '
>>
>>
>>
>> **Phase 2: Completed decoding.
>>
>> decoder: 'mikrotiklogin'
>>
>> 05:18:18 system,info,account user admin logged in from 192.168.88.254 via
>> ssh
>>
>>
>>
>>
>>
>>
>> **Phase 1: Completed pre-decoding.
>>
>> full event: '05:18:18 system,info,account user admin logged in from
>> 192.168.88.254
>> via ssh '
>>
>> hostname: 'piprime'
>>
>> program_name: '(null)'
>>
>> log: '05:18:18 system,info,account user admin logged in from
>> 192.168.88.254 via ssh
>> '
>>
>>
>>
>> **Phase 2: Completed decoding.
>>
>> decoder: 'mikrotiklogin'
>>
>
> It didn't decode user, srcip, or extra_data; so I don't think it's
> working properly.
>
> With only 1 log example, it's tough to make a good one, but this one
> decodes all of the fields:
> <decoder name="mikrotiklogin">
> <prematch>^\d\d:\d\d:\d\d\s\S+,\.+ user </prematch>
> <regex offset="after_prematch">^(\S+) logged in from
> (\d+.\d+.\d+.\d+) via (\S+)</regex>
> <order>user,srcip,extra_data</order>
> </decoder>
>
>>
>> My custom decoder is below.
>> <decoder name="mikrotiklogin">
>> <prematch>^\d\d:\d\d:\d\d\s\w+,\w+,\w+\w\s</prematch>
>> <regex offset="after_prematch">user\s(\w+)\slogged in from
>> (\d\d\d+.\d\d\d+.\d\d+.\d\d\d)+(\s+.*)</regex>
>> <order>user,srcip,extra_data</order>
>> </decoder>
>>
>> Pranav
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
>> For more options, visit https://groups.google.com/groups/opt_out.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
