Correct me if I'm wrong, but I don't believe you need to setup the match statements for the date and hostname. I think that should just become..
<decoder name="swg1"> <prematch>^M86 SWG Web Event</prematch> <regex offset="after_prematch"> - Action: (\w+);</regex> <order>action</order> </decoder> --Josh On Fri, Feb 28, 2014 at 9:47 PM, Nathaniel Bentzinger < [email protected]> wrote: > Hi, > > > > I'm trying to write up a decoder for the Secure Web Gateway device. I > believe I hit a snag but I am not able to figure out why. I'm hoping > someone else will spot the issue. I've dumbed down the decoder (stripping > IP,URL, and extra_data from it) and it still doesn't work as expected. > > > > <!-- Sample Event à > > <!-- Feb 28 15:08:35 swg1 : M86 SWG Web Event - Action: Block; Block > reason: ; Client IP: 10.10.10.10; HTTPS Policy Name: Duplicate M86 HTTPS > Policy; Site: box.com; Transaction ID: 5310ECBD95D1050BA3FC; Transaction > time: 02/28/2014 15:08:29; URL: http://box.com:443; URL Category: Web > Based Storage; X-Ray: --> > > > > <decoder name="swg1"> > > <prematch>\w+ \d+ \S+ \S+ : M86 SWG Web Event</prematch> > > <regex offset="after_prematch"> - Action: (\w+);</regex> > > <order>action</order> > > </decoder> > > > > Running this decoder never returns successful decode: > > [root@secserv ~]# /var/ossec/bin/ossec-logtest > > 2014/02/28 21:43:47 ossec-testrule: INFO: Reading local decoder file. > > 2014/02/28 21:43:47 ossec-testrule: INFO: Started (pid: 22685). > > ossec-testrule: Type one log per line. > > > > Feb 28 15:08:35 swg1 : M86 SWG Web Event - Action: Block; > > > > > > **Phase 1: Completed pre-decoding. > > full event: 'Feb 28 15:08:35 swg1 : M86 SWG Web Event - Action: > Block;' > > hostname: 'swg1' > > program_name: '' > > log: 'M86 SWG Web Event - Action: Block;' > > > > **Phase 2: Completed decoding. > > No decoder matched. > > > > Unless I strip the first \w+ and only put in '28 15:08:35 swg1 : M86 SWG > Web Event - Action: Block;' > > > > For that date prematch I have tried: > > \w\w\w \d\d \dd:\d\d:\d\d \S+ : > > \S+ \S+ \S+ \S+ : > > ^\w\w\w \d\d \dd:\d\d:\d\d \S+ : > > ^\S+ \S+ \S+ \S+ : > > \w+ \d+ \S+ \S+ : > > ^\w+ \d+ \S+ \S+ : > > > > And none work unless I strip out the first match (the month) then rerun > the test without the month value. None of the other local_decoders have > this syntax. I've even tried prematching on just SMG or M86 and it doesn't > return anything. Thowing these strings into ww.regexpal.com shows they > will match on what I need them to. > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
