Hi, I'm trying to write up a decoder for the Secure Web Gateway device. I believe I hit a snag but I am not able to figure out why. I'm hoping someone else will spot the issue. I've dumbed down the decoder (stripping IP,URL, and extra_data from it) and it still doesn't work as expected.
<!-- Sample Event --> <!-- Feb 28 15:08:35 swg1 : M86 SWG Web Event - Action: Block; Block reason: ; Client IP: 10.10.10.10; HTTPS Policy Name: Duplicate M86 HTTPS Policy; Site: box.com; Transaction ID: 5310ECBD95D1050BA3FC; Transaction time: 02/28/2014 15:08:29; URL: http://box.com:443; URL Category: Web Based Storage; X-Ray: --> <decoder name="swg1"> <prematch>\w+ \d+ \S+ \S+ : M86 SWG Web Event</prematch> <regex offset="after_prematch"> - Action: (\w+);</regex> <order>action</order> </decoder> Running this decoder never returns successful decode: [root@secserv ~]# /var/ossec/bin/ossec-logtest 2014/02/28 21:43:47 ossec-testrule: INFO: Reading local decoder file. 2014/02/28 21:43:47 ossec-testrule: INFO: Started (pid: 22685). ossec-testrule: Type one log per line. Feb 28 15:08:35 swg1 : M86 SWG Web Event - Action: Block; **Phase 1: Completed pre-decoding. full event: 'Feb 28 15:08:35 swg1 : M86 SWG Web Event - Action: Block;' hostname: 'swg1' program_name: '' log: 'M86 SWG Web Event - Action: Block;' **Phase 2: Completed decoding. No decoder matched. Unless I strip the first \w+ and only put in '28 15:08:35 swg1 : M86 SWG Web Event - Action: Block;' For that date prematch I have tried: \w\w\w \d\d \dd:\d\d:\d\d \S+ : \S+ \S+ \S+ \S+ : ^\w\w\w \d\d \dd:\d\d:\d\d \S+ : ^\S+ \S+ \S+ \S+ : \w+ \d+ \S+ \S+ : ^\w+ \d+ \S+ \S+ : And none work unless I strip out the first match (the month) then rerun the test without the month value. None of the other local_decoders have this syntax. I've even tried prematching on just SMG or M86 and it doesn't return anything. Thowing these strings into ww.regexpal.com shows they will match on what I need them to. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
