[ossec-list] Checkpoint logs looks the same but the decoder doesn't seem to work.

Mon, 13 Jul 2015 05:17:17 -0700 

Hi,

I just newly installed ossec and I would like to use it to analyse checkpoint
logs using the syslog-ng to accept logs from the firewall and syslog to
analyse.

I am trying to use the checkpoint decoder. The log line looks the same to me
as the sample log line.  However the Phase 2 never seems to work.  Is there
something extra I need to do to make it work.  Or does it need a new decoder.

Jul 10 13:34:07 192.168.46.100 Checkpoint: 13:34:15 accept 10.0.0.1 >eth1.5
rule: 55; rule_uid: {00000000-000-0000-0000-00000000000}; service_id: http;
src: 192.2.1.1; dst: 10.12.15.11; proto: tcp; product: VPN-1 & FireWall-1;
service: 80; s_port: 43584;

/var/ossec/etc# /var/ossec/bin/ossec-logtest
2015/07/13 14:03:32 ossec-testrule: INFO: Reading local decoder file.
2015/07/13 14:03:32 ossec-testrule: INFO: Started (pid: 13641).
ossec-testrule: Type one log per line.

Jul 10 13:34:07 192.168.46.100 Checkpoint: 13:34:15 accept 10.0.0.1 >eth1.5
rule: 55; rule_uid: {00000000-000-0000-0000-00000000000}; service_id: http;
src: 192.2.1.1; dst: 10.12.15.11; proto: tcp; product: VPN-1 & FireWall-1;
service: 80; s_port: 43584;


**Phase 1: Completed pre-decoding.
       full event: 'Jul 10 13:34:07 192.168.46.100 Checkpoint: 13:34:15 accept
10.0.0.1 >eth1.5 rule: 55; rule_uid: {00000000-000-0000-0000-00000000000};
service_id: http; src: 192.2.1.1; dst: 10.12.15.11; proto: tcp; product: VPN-1
& FireWall-1; service: 80; s_port: 43584;'
       hostname: '192.168.46.100'
       program_name: 'Checkpoint'
       log: '13:34:15 accept 10.0.0.1 >eth1.5 rule: 55; rule_uid:
{00000000-000-0000-0000-00000000000}; service_id: http; src: 192.2.1.1; dst:
10.12.15.11; proto: tcp; product: VPN-1 & FireWall-1; service: 80; s_port:
43584;'

**Phase 2: Completed decoding.
       No decoder matched.


____________________________________________________________
South Africas premier free email service - www.webmail.co.za


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to