Hi. I'm trying, unsuccessfully, to create a decoder for Outlook Web Access
(OWA) 2003 access logs. These are a slightly different format to regular
IIS access logs, so aren't getting matched:
2015-12-09 14:03:44 W3SVC1 10.10.10.10 GET /index.php - 80 - 79.141.160.57
Mozilla/5.0+[en]+(X11,+U;+OpenVAS+7.0.5) 403 4 5
I've added a local decoder as below, but it's not getting matched:
<decoder name="web-accesslog-owa">
<parent>windows-date-format</parent>
<type>web-log</type>
<use_own_name>true</use_own_name>
<prematch offset="after_parent">^W3SVC\d+ \S+ </prematch>
<regex offset="after_prematch">(\S+) (\S+ \S+) \d+ \S+
(\d+.\d+.\d+.\d+) \S+ (\d+)</regex>
<order>action, url, srcip, id</order>
</decoder>
Any ideas? I've based this on the tweaks for IIS7 logs, which seem to
work. Testing my regex elsewhere, e.g. regex101.com, it seems to work and
I don't get any errors. Testing in ossec-logtest, I get the following:
**Phase 1: Completed pre-decoding.
full event: '2015-12-09 14:03:44 W3SVC1 10.10.10.10 GET /index.php -
80 - 79.141.160.57 Mozilla/5.0+[en]+(X11,+U;+OpenVAS+7.0.5) 403 4 5'
hostname: 'ossec'
program_name: '(null)'
log: '2015-12-09 14:03:44 W3SVC1 10.10.10.10 GET /index.php - 80 -
79.141.160.57 Mozilla/5.0+[en]+(X11,+U;+OpenVAS+7.0.5) 403 4 5'
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
**Phase 3: Completed filtering (rules).
Rule id: '31100'
Level: '0'
Description: 'Access log messages grouped.'
I'm trying to detect scans via multiple 400 errors, but they're not getting
picked up because the decoder is failing.
Thanks
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
