Hi Josh, I tried that too but when I test with the whole syslog event that comes in (in my original message) it never decodes it. I'll triple check that the syslog event from the SWG is in fact what I'm testing against.
From: [email protected] [mailto:[email protected]] On Behalf Of Joshua Garnett Sent: Saturday, March 01, 2014 9:13 AM To: [email protected] Subject: Re: [ossec-list] Decoder assistance Correct me if I'm wrong, but I don't believe you need to setup the match statements for the date and hostname. I think that should just become.. <decoder name="swg1"> <prematch>^M86 SWG Web Event</prematch> <regex offset="after_prematch"> - Action: (\w+);</regex> <order>action</order> </decoder> --Josh On Fri, Feb 28, 2014 at 9:47 PM, Nathaniel Bentzinger <[email protected]<mailto:[email protected]>> wrote: Hi, I'm trying to write up a decoder for the Secure Web Gateway device. I believe I hit a snag but I am not able to figure out why. I'm hoping someone else will spot the issue. I've dumbed down the decoder (stripping IP,URL, and extra_data from it) and it still doesn't work as expected. <!-- Sample Event --> <!-- Feb 28 15:08:35 swg1 : M86 SWG Web Event - Action: Block; Block reason: ; Client IP: 10.10.10.10; HTTPS Policy Name: Duplicate M86 HTTPS Policy; Site: box.com<http://box.com>; Transaction ID: 5310ECBD95D1050BA3FC; Transaction time: 02/28/2014 15:08:29; URL: http://box.com:443; URL Category: Web Based Storage; X-Ray: --> <decoder name="swg1"> <prematch>\w+ \d+ \S+ \S+ : M86 SWG Web Event</prematch> <regex offset="after_prematch"> - Action: (\w+);</regex> <order>action</order> </decoder> Running this decoder never returns successful decode: [root@secserv ~]# /var/ossec/bin/ossec-logtest 2014/02/28 21:43:47 ossec-testrule: INFO: Reading local decoder file. 2014/02/28 21:43:47 ossec-testrule: INFO: Started (pid: 22685). ossec-testrule: Type one log per line. Feb 28 15:08:35 swg1 : M86 SWG Web Event - Action: Block; **Phase 1: Completed pre-decoding. full event: 'Feb 28 15:08:35 swg1 : M86 SWG Web Event - Action: Block;' hostname: 'swg1' program_name: '' log: 'M86 SWG Web Event - Action: Block;' **Phase 2: Completed decoding. No decoder matched. Unless I strip the first \w+ and only put in '28 15:08:35 swg1 : M86 SWG Web Event - Action: Block;' For that date prematch I have tried: \w\w\w \d\d \dd:\d\d:\d\d \S+ : \S+ \S+ \S+ \S+ : ^\w\w\w \d\d \dd:\d\d:\d\d \S+ : ^\S+ \S+ \S+ \S+ : \w+ \d+ \S+ \S+ : ^\w+ \d+ \S+ \S+ : And none work unless I strip out the first match (the month) then rerun the test without the month value. None of the other local_decoders have this syntax. I've even tried prematching on just SMG or M86 and it doesn't return anything. Thowing these strings into ww.regexpal.com<http://ww.regexpal.com> shows they will match on what I need them to. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:ossec-list%[email protected]>. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
