I'm working on a decoder to pull information out of the AWS Cloudtrail
logs. There are several examples online and I used them as a starting
point.
I've successfully pulled three components out of each Cloudtrail log, but
am not having success when I add a fourth.
I've split the regex up to see if each individual component works and they
do, but when I combine them all, I'm not having any success (when I test
with ossec-logtest.
It could be that I'm missing something simple, but I'm also wondering if
there's a limitation to the regex string length. I haven't looked at the
source and am hoping it is something I'm just missing.
Below are both the regex and the sample Cloudtrail log entry I am trying to
parse.
Any help would be greatly appreciated.
sample log entry (it's all one line)
####################################################################
"eventVersion":"1.02","eventID":"c0b8a753-65f8-4ea8-a924-263d4555a725","eventTime":"2015-02-19T19:46:40Z","requestParameters":"{u'maxItems':
u'100'}","eventType":"AwsApiCall","responseElements":"None","awsRegion":"us-east-1","eventName":"ListHealthChecks","userIdentity":"{u'userName':
u'mark.feferman', u'principalId': u'AIDAJCZ7AIQAFLV3CQZJA', u'accessKeyId':
u'ASIAJX7ZFLPD2SJOPQXQ', u'invokedBy': u'signin.amazonaws.com',
u'sessionContext': {u'attributes': {u'creationDate':
u'2015-02-19T19:43:21Z', u'mfaAuthenticated': u'false'}}, u'type':
u'IAMUser', u'arn': u'arn:aws:iam::875787860505:user/mark.feferman',
u'accountId': u'875787860505'}","eventSource":"route53.amazonaws.com
","requestID":"0634d15d-b870-11e4-827b-6158e160b350","apiVersion":"2013-04-01","userAgent":"
signin.amazonaws.com
","sourceIPAddress":"192.168.1.1","recipientAccountId":"875787860505"
####################################################################
decoder
####################################################################
<decoder name="cloudtrail">
<prematch>^"eventVersion":"\d.\d\d"</prematch>
<!-- the below DOES work and retrieves the awsRegion, username, and IP
address -->
<!--
<regex>"awsRegion":"(\S+)"\.+"eventName":"(\S+)"\.+"userIdentity":"{u'userName':
u'(\S+)'</regex> -->
<!-- the below line DOES NOT work (when I add the sourceIPAddress -->
<regex>"awsRegion":"(\S+)"\.+"eventName":"(\S+)"\.+"userIdentity":"{u'userName':
u'(\S+)'\.+"sourceIPAddress":"(\d+.\d+.\d+.\d+)"</regex>
<order>data,action,srcuser,srcip</order>
</decoder>
####################################################################
Sincerely,
Mark
Mark Feferman, CISM, CISSP, CSSLP
Principal @ Vaunted Group
[email protected]
713.478.5150
http://www.vauntedgroup.com
Expertise in the discipline of Software Security Assurance
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
