You could use the decoder "web-accesslog-iis-default" as base to do your
decoder:
<decoder name="web-accesslog-iis-default">
<parent>windows-date-format</parent>
<type>web-log</type>
<use_own_name>true</use_own_name>
<prematch offset="after_parent">^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+
POST </prematch>
<regex offset="after_prematch">(\S+ \S*) \.* (\d+.\d+.\d+.\d+) \S*\.*
(\d\d\d) \S+ \S+ \S+</regex>
<order>url,srcip,id</order>
</decoder>
Example:
2016-02-02 08:45:31 10.32.10.14 GET /images/logo2.png - 80 - 10.32.5.145
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0)
200 0 0 15
**Phase 1: Completed pre-decoding.
full event: '2016-02-02 08:45:31 10.32.10.14 GET /images/logo2.png -
80 - 10.32.5.145
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0)
200 0 0 15'
hostname: 'LinMV'
program_name: '(null)'
log: '2016-02-02 08:45:31 10.32.10.14 GET /images/logo2.png - 80 -
10.32.5.145
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0)
200 0 0 15'
**Phase 2: Completed decoding.
* decoder: 'windows-date-format'*
* url: '/images/logo2.png -'*
* srcip: '10.32.5.145'*
* id: '200'*
**Phase 3: Completed filtering (rules).
Rule id: '31108'
Level: '0'
Description: 'Ignored URLs (simple queries).'
I hope it helps.
Jesús Linares.
On Wednesday, February 3, 2016 at 9:59:25 PM UTC+1, Fredrik wrote:
>
> Hi All,
>
>
>
> Gone through a few threads about decoders for IIS. I'm just getting
> started and, so far, have only managed easy stuff. I'm trying to extract
> the fields mentioned in decoder from the log entry using the decoder below,
> but the logtester still give the result below. What am I missing this time
> :)
>
> FULL LOG ENTRY:
> 2016-02-02 08:45:31 10.32.10.14 GET /images/logo2.png - 80 - 10.32.5.145
> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0)
>
> 200 0 0 15
>
> LOGTEST RESULTS:
> **Phase 1: Completed pre-decoding.
> full event: '2016-02-02 08:45:31 10.46.10.101 GET /images/logo2.png
> - 80 - 10.46.5.145
> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0)
>
> 200 0 0 15'
> hostname: 'sto-lab99'
> program_name: '(null)'
> log: '2016-02-02 08:45:31 10.46.10.101 GET /images/logo2.png - 80 -
> 10.46.5.145
> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0)
>
> 200 0 0 15'
>
> **Phase 2: Completed decoding.
> decoder: 'windows-date-format'
>
> DECODER:
> <decoder name="web-accesslog-iis">
> <parent>windows-date-format</parent>
> <type>web-log</type>
> <use_own_name>true</use_own_name>
> <regex offset="after_parent">^\d+-\d+-\d+ \d+:\d+:\d+ (\S+) (\S+) -
> (\S+) - (\d+.\d+.\d+.\d+) </regex>
> <order>srcip, action, url, srcip, dstport</order>
> </decoder>
>
> Best,
> Fredrik
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
