Hello Jesus!
Story continues. Just wanted to let you know that I have been able, with help, to unify ALL the messages for easier handling in OSSEC. It seems I will be able to only use the hostname for the decoder (see new messages samples below). However, how do I handle the fact that I would like to match the decoder regardless of which node in the firewall cluster is the source of the event? I can't use '|' within <hostname></hostname>, right? The two possibilities are st4600fw01n1 and st4600fw01n2 . Apr 15 14:41:53 st4600fw01n1 allow <eth6 mail src: 192.168.5.133; dst: 216.131.91.92; proto: tcp; appi_name: ******; app_desc: ******; app_id: 60461422; app_category: ******; matched_category: ******; app_properties: ******; app_risk: ******; app_rule_id: ******; app_rule_name: ******; web_client_type: Chrome; web_server_type: Apache; app_sig_id: 60461422:1; resource: http://strongvpn.com/difference_between_proxy_and_vpn.html?utm_source=adwords&utm_medium=sem&gclid=Cj0KEQjwosK4BRCYhsngx4_SybcBEiQAowaCJTFp6qNVmL7E-BhfeTkQouJTwpHN5v1wslK79jD62k4aAqBB8P8HAQ; proxy_src_ip: 192.168.5.133; product: Application Control; service: http; s_port: 59319; product_family: Network; Apr 15 14:21:37 st4600fw01n1 redirect <eth1 alert web_client_type: Chrome; resource: http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html; src: 192.168.5.133; dst: 184.31.90.152; proto: tcp; session_id: {0x5710dcd1,0x10002,0xc50d2e0a,0xc0000000}; Protection name: Check Point - Testing Bot; malware_family: Check Point; Source OS: Windows; Confidence Level: 5; severity: 2; malware_action: Communication with C&C site; rule_uid: {9AF67731-0D35-4117-AF2B-9A47F9396D26}; Protection Type: URL reputation; malware_rule_id: {000000CE-00A4-0046-9658-621EA5468654}; protection_id: 00233CFEE; log_id: 2; proxy_src_ip: 192.168.5.133; scope: 192.168.5.133; product: Anti Malware; service: http; s_port: 57878; Apr 15 05:35:51 st4600fw01n1 prevent <eth6 alert src: 82.221.102.34; dst: 192.168.99.4; proto: tcp; session_id: {0x57106197,0x10003,0xc50d2e0a,0xc0000001}; Protection name: Trojan.Win32.HackerDefender.C; malware_family: HackerDefender; Source OS: Solaris; Confidence Level: 5; severity: 4; malware_action: Malicious network activity; rule_uid: {25157EEE-C09C-4FE0-A872-E0A1486526B8}; rule_name: #extweb; Protection Type: protection; malware_rule_id: {000000CE-00A4-0046-9658-621EA5468654}; protection_id: 000043FBC; log_id: 2; scope: 192.168.99.4; product: Anti Malware; service: http; s_port: 49228; Apr 15 14:13:17 st4600fw01n1 block <eth6 mail src: 192.168.7.196; dst: 37.157.2.24; proto: tcp; appi_name: ******; app_desc: ******; app_id: 1875144601; app_category: ******; matched_category: ******; app_properties: ******; app_risk: ******; app_rule_id: ******; app_rule_name: ******; web_client_type: Chrome; web_server_type: Other: nginx; resource: http://adx.adform.net/adx/?rp=3&pv=1&bWlkPTk3ODMyJmN0dXJsPWh0dHA6Ly9mdXNpb24uYm9ubmllcnRpZHNrcmlmdGVyLnNlL2V2ZW50L2ZsaXlmL2J0LmVrb25vbWkucGFmLnJvcy8xNDc3OTkyNzcvY2xpY2s_dXJsPQ&bWlkPTk3ODMxJmN0dXJsPWh0dHA6Ly9mdXNpb24uYm9ubmllcnRpZHNrcmlmdGVyLnNlL2V2ZW50L2V0YnN3L2J0LmVrb25vbWkucGFmLnJvcy8xNDc3OTkyNzAvY2xpY2s_dXJsPQ&bWlkPTk3ODI5JmN0dXJsPWh0dHA6Ly9mdXNpb24uYm9ubmllcnRpZHNrcmlmdGVyLnNlL2V2ZW50L3FmdWh5L2J0LmVrb25vbWkucGFmLnJvcy8xNDc3OTkyNTYvY2xpY2s_dXJsPQ&callback=_adform_cb_1460722287088_3438587873323349; proxy_src_ip: 192.168.7.196; product: URL Filtering; service: http; s_port: 51190; product_family: Network; Apr 15 11:16:05 st4600fw01n1 block <eth6 mail src: 192.168.8.67; dst: 64.207.139.185; proto: tcp; appi_name: ******; app_desc: ******; app_id: 3723664659; app_category: ******; matched_category: ******; app_properties: ******; app_risk: ******; app_rule_id: ******; app_rule_name: ******; web_client_type: Chrome; web_server_type: Apache; resource: http://cdn.wibiya.com/Toolbars/dir_0650/Toolbar_650079/Loader_650079.js; proxy_src_ip: 192.168.8.67; product: URL Filtering; service: http; s_port: 61907; product_family: Network; The two outliers now are the messages below. For the first one, I guess, the best way will be to create a separate decoder and match for the other hostname (message originates from the firewall management), right? The second one, I have to figure out why SmartDefense throws in a leading > before the hostname. Until then, perhaps only go with a prematch including the '>', right? Mar 7 13:07:53 sto-fwm03 mail System Alert message: A Firewall Policy has been successfully installed on st4600fw01n1; Object: st4600fw01n1; Event: Change; Parameter: policy_time; Condition: changes Mon Mar 7 13:03:42 2016; Current value: Mon Mar 7 13:08:48 2016; product: Test Monitor; product_family: Network; Apr 15 12:23:16 > st4600fw01n1 alert Protection Name: TCP Urgent Data Enforcement; Severity: 0; Confidence Level: 0; protection_id: tcp_block_urg_bit_enable; SmartDefense Profile: Recommended_Protection; Performance Impact: 0; Protection Type: settings; rule: 20; rule_uid: {3F67BCCB-8087-4974-95FA-F4A4FF466D49}; rule_name: #sample; Attack Info: TCP segment with urgent pointer (no data). Urgent data indication was stripped. Please refer to sk36869.; attack: Streaming Engine: TCP Urgent Data Enforcement; Total logs: 3; Suppressed logs: 2; proto: tcp; dst: 104.16.65.50; src: 192.168.10.204; product: SmartDefense; service: https; s_port: 56814; FollowUp: Not Followed; product_family: Network; Best regards, Fredrik On Friday, April 1, 2016 at 1:18:17 PM UTC+2, Jesus Linares wrote: > > Hi Fredrik, > > here an example of decoding allow/block events (with the option > *after_regex*): > > > <!-- > pattern: > Mar 29 09:04:21 127.0.0.1 Mar 29 8:52:29 st4600fw01n1 Text > --> > <decoder name="Checkpoint-test"> > <prematch>^\w\w\w \d+ \d+:\d+:\d+ \S+ </prematch> > <type>firewall</type> > </decoder> > > > <!-- > Mar 30 09:03:56 127.0.0.1 Mar 30 8:52:05 st4600fw01n1 allow <eth6 mail > src: 192.168.5.133; dst: 89.208.212.2; proto: tcp; bytes: 2396; sent_bytes: > 1180; received_bytes: 1216; app_id: 10063753; browse_time: ******; > Suppressed logs: 19; Referrer_self_uid: ******; product: Application > Control; service: http; s_port: 64136; product_family: Network; > --> > <decoder name="Checkpoint-block-allow"> > <parent>Checkpoint-test</parent> > <prematch offset="after_parent">^block|^allow</prematch> > <regex offset="after_parent">(\w+) \S+ \S+ src: (\d+.\d+.\d+.\d+); dst: > (\d+.\d+.\d+.\d+)</regex> > <order>action,srcip,dstip</order> > </decoder> > > > <!-- > Checkpoint-block-allow: extra fields: resource and product > Mar 30 09:03:35 127.0.0.1 Mar 30 8:51:43 st4600fw01n1 allow <eth6 mail > src: 192.168.5.133; dst: 89.208.212.2; proto: tcp; appi_name: ******; > app_desc: ******; app_id: 10063753; app_category: ******; matched_category: > ******; app_properties: ******; app_risk: ******; app_rule_id: ******; > app_rule_name: ******; web_client_type: Chrome; web_server_type: > Microsoft-IIS; app_sig_id: 10063753:5; resource: > http://www.aliveproxy.com/; proxy_src_ip: 192.168.5.133; product: > Application Control; service: http; s_port: 64136; product_family: Network; > --> > <decoder name="Checkpoint-block-allow"> > <parent>Checkpoint-test</parent> > <regex offset="after_regex">resource: (\S+); proxy_src_ip: \S+; > product: (\.+); </regex> > <order>url, extra_data</order> > </decoder> > > > I recommend you configure all your checkpoint devices with the same log > format. If you can't you could use *several parents*: > > <!-- > pattern: > Mar 29 09:04:21 127.0.0.1 Mar 29 8:52:29 st4600fw01n1 Text > --> > <decoder name="Checkpoint-test"> > <prematch>^\w\w\w \d+ \d+:\d+:\d+ \S+ </prematch> > <type>firewall</type> > </decoder> > > > <!-- > pattern: > Mar 30 10:04:39 127.0.0.1 redirect <eth1 alert web_client_type: Chrome; > resource: > http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html; > src: 192.168.5.133; dst: 172.226.217.148; proto: tcp; session_id: > {0x56fb8896,0x10009,0xc50d2e0a,0xc0000001}; Protection name: Check Point - > Testing Bot; malware_family: Check Point; Source OS: Windows; Confidence > Level: 5; severity: 2; malware_action: Communication with C&C site; > rule_uid: {9AF67731-0D35-4117-AF2B-9A47F9396D26}; Protection Type: URL > reputation; malware_rule_id: {000000CE-00A4-0046-9658-621EA5468654}; > protection_id: 00233CFEE; log_id: 2; proxy_src_ip: 192.168.5.133; scope: > 192.168.5.133; product: Anti Malware; service: http; s_port: 49244; > > > Mar 29 20:13:14 127.0.0.1 prevent <eth1 alert web_client_type: Microsoft > IE; resource: > http://www.bing.com/fd/ls/GLinkPing.aspx?IG=9A0044152B65437D93F87086B9E730D9&&ID=SERP,5118.1&url=http://sc1.checkpoint.com/z...; > > src: 192.168.5.133; dst: 204.79.197.200; proto: tcp; session_id: > {0x56fac5ba,0x10004,0xc50d2e0a,0xc0000000}; Protection name: Check Point - > Testing Bot; malware_family: Check Point; Source OS: Windows; Confidence > Level: 5; severity: 2; malware_action: Communication with C&C site; > rule_uid: {9AF67731-0D35-4117-AF2B-9A47F9396D26}; Protection Type: URL > reputation; malware_rule_id: {000000CE-00A4-0046-9658-621EA5468654}; > protection_id: 00233CFEE; log_id: 2; proxy_src_ip: 192.168.5.133; scope: > 192.168.5.133; product: Anti Malware; service: http; s_port: 63119; > --> > <decoder name="Checkpoint-test"> > <prematch>^redirect \p|^prevent \p</prematch> > <type>firewall</type> > </decoder> > > > <!-- > Mar 30 09:03:56 127.0.0.1 Mar 30 8:52:05 st4600fw01n1 allow <eth6 mail > src: 192.168.5.133; dst: 89.208.212.2; proto: tcp; bytes: 2396; sent_bytes: > 1180; received_bytes: 1216; app_id: 10063753; browse_time: ******; > Suppressed logs: 19; Referrer_self_uid: ******; product: Application > Control; service: http; s_port: 64136; product_family: Network; > --> > <decoder name="Checkpoint-block-allow"> > <parent>Checkpoint-test</parent> > <prematch offset="after_parent">^block|^allow</prematch> > <regex offset="after_parent">(\w+) \S+ \S+ src: (\d+.\d+.\d+.\d+); dst: > (\d+.\d+.\d+.\d+)</regex> > <order>action,srcip,dstip</order> > </decoder> > > > <!-- > Checkpoint-block-allow: extra fields: resource and product > Mar 30 09:03:35 127.0.0.1 Mar 30 8:51:43 st4600fw01n1 allow <eth6 mail > src: 192.168.5.133; dst: 89.208.212.2; proto: tcp; appi_name: ******; > app_desc: ******; app_id: 10063753; app_category: ******; matched_category: > ******; app_properties: ******; app_risk: ******; app_rule_id: ******; > app_rule_name: ******; web_client_type: Chrome; web_server_type: > Microsoft-IIS; app_sig_id: 10063753:5; resource: > http://www.aliveproxy.com/; proxy_src_ip: 192.168.5.133; product: > Application Control; service: http; s_port: 64136; product_family: Network; > --> > <decoder name="Checkpoint-block-allow"> > <parent>Checkpoint-test</parent> > <regex offset="after_regex">resource: (\S+); proxy_src_ip: \S+; > product: (\.+); </regex> > <order>url, extra_data</order> > </decoder> > > > P.S. My name is Jesus, not Jose ;). > > Regards, > Jesus Linares. > > > > On Wednesday, March 30, 2016 at 10:28:09 AM UTC+2, Fredrik wrote: > > Hi Jose, > > > I got some help to sort out the different timestamps (format) and all log > types now use "Jan 27 09:41:01". You asked about the firewall, this > particular one is a Checkpoint currently running version R77.20. > > The remaining question, that might be of interest to others on the path to > OSSEC mastery ;) ;) is how to handle messages with different "format" > coming from the same host. I have collected a bunch of messages that I > would like to be able to decode, but I'm not sure about the most efficient > way to build the parent/child decoder tree for this. > > With the help received previously in this thread, I currently have the > following in my local_decoder and I'm experimenting with different addition > - none of which is working so far ;) > > <decoder name="Checkpoint"> > <prematch>^\w+ \d+ \d+:\d+:\d+ st4600fw01n\d</prematch> > <type>firewall</type> > </decoder> > > <decoder name="Checkpoint-alert"> > <parent>Checkpoint</parent> > <regex offset="after_parent">(\w+) \p\w+ \w+ > src:\s(\d+.\d+.\d+.\d+);\sdst:\s(\d+.\d+.\d+.\d+)</regex> > <order>action,srcip,dstip</order> > </decoder> > > <decoder name="Checkpoint-alert"> > <parent>Checkpoint</parent> > <regex offset="after_regex">\.*resource: (\.*);\.*product: (\.*);</regex> > <order>url,extra_data</order> > </decoder> > > > Below is a collection of syslog messages recieved from the firewall where > the first section is currently decoded using the local_decoder above: > > > Mar 29 10:09:40 127.0.0.1 Mar 29 9:57:49 st4600fw01n1 block <eth6 mail > src: 192.168.7.206; dst: 54.72.9.51; proto: tcp; bytes: 4962; sent_bytes: > 530; received_bytes: 4432; app_id: 3404393449; browse_time: ******; > Suppressed logs: 1; Referrer_self_uid: ******; product: URL Filtering; > service: http; s_port: 54693; product_family: Network; > > Mar 29 20:57:00, st4600fw01n1, allow <eth1 mail src: 192.168.5.133; dst: > 89.208.212.2; proto: tcp; appi_name: ******; app_desc: ******; app_id: > 10063753; app_category: ******; matched_category: ******; app_properties: > ******; app_risk: ******; app_rule_id: ******; app_rule_name: ******; > web_client_type: Microsoft IE; web_server_type: Microsoft-IIS; app_sig_id: > 10063753:5; resource: http://aliveproxy.com/; proxy_src_ip: > 192.168.5.133; product: Application Control; service: http; s_port: 63867; > product_family: Network; > > Mar 30 09:04:14 127.0.0.1 Mar 30 8:52:22 st4600fw01n1 allow <eth6 mail > src: 192.168.5.133; dst: 23.67.132.180; proto: tcp; appi_name: ******; > app_desc: ******; app_id: 10003219; app_category: ******; matched_category: > ******; app_properties: ******; app_risk: ******; app_rule_id: ******; > app_rule_name: ******; app_sig_id: 10003219:4; proxy_src_ip: 192.168.5.133; > product: Application Control; service: https; s_port: 64166; > product_family: Network; > > Mar 30 09:03:56 127.0.0.1 Mar 30 8:52:05 st4600fw01n1 allow <eth6 mail > src: 192.168.5.133; dst: 89.208.212.2; proto: tcp; bytes: 2396; sent_bytes: > 1180; received_bytes: 1216; app_id: 10063753; browse_time: ******; > Suppressed logs: 19; Referrer_self_uid: ******; product: Application > Control; service: http; s_port: 64136; product_family: Network; > > Mar 30 09:03:35 127.0.0.1 Mar 30 8:51:43 st4600fw01n1 allow <eth6 mail > src: 192.168.5.133; dst: 89.208.212.2; proto: tcp; appi_name: ******; > app_desc: ******; app_id: 10063753; app_category: ******; matched_category: > ******; app_properties: ******; app_risk: ******; app_rule_id: ******; > app_rule_name: ******; web_client_type: Chrome; web_server_type: > Microsoft-IIS; app_sig_id: 10063753:5; resource: > http://www.aliveproxy.com/; proxy_src_ip: 192.168.5.133; product: > Application Control; service: http; s_port: 64136; product_family: Network; > > Mar 29 09:04:21 127.0.0.1 Mar 29 8:52:29 st4600fw01n1 block <eth6 mail > src: 192.168.5.136; dst: 37.157.4.15; proto: tcp; appi_name: ******; > app_desc: ******; app_id: 1875144601; app_category: ******; > matched_category: ******; app_properties: ******; app_risk: ******; > app_rule_id: ******; app_rule_name: ******; web_client_type: Other: > Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like > Gecko; web_server_type: Other: nginx; resource: > http://adx.adform.net/adx/?rp=3&pv=1&bWlkPTE1NzU3NiZybmQ9ODU1M2JjNGMtMmY2MC00YzVjLWFhMzAtYmY5NzZlNDllZDNk&callback=_adform_cb_1459234242747_7491414591872548; > > proxy_src_ip: 192.168.5.136; product: URL Filtering; service: http; s_port: > 54051; product_family: Network; > > Mar 29 09:06:12 127.0.0.1 Mar 29 8:54:21 st4600fw01n1 block <eth6 mail > src: 192.168.6.157; dst: 37.157.4.15; proto: tcp; appi_name: ******; > app_desc: ******; app_id: 1875144601; app_category: ******; > matched_category: ******; app_properties: ******; app_risk: ******; > app_rule_id: ******; app_rule_name: ******; web_client_type: Other: > Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like > Gecko; web_server_type: Other: nginx; resource: > http://adx.adform.net/adx/?rp=3&pv=1&bWlkPTk1NzI4&callback=_adform_cb_1459234355177_008705563130792681; > > proxy_src_ip: 192.168.6.157; product: URL Filtering; service: http; s_port: > 51746; product_family: Network; > > Mar 29 08:37:54 127.0.0.1 Mar 29 8:26:03 st4600fw01n1 block <eth6 mail > src: 192.168.6.157; dst: 152.115.75.210; proto: tcp; appi_name: ******; > app_desc: ******; app_id: 1875144601; app_category: ******; > matched_category: ******; app_properties: ******; app_risk: ******; > app_rule_id: ******; app_rule_name: ******; web_client_type: Other: > Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like > Gecko; web_server_type: Other: nginx; resource: > http://adx.adform.net/adx/?rp=3&pv=1&bWlkPTk3ODMyJmN0dXJsPWh0dHA6Ly9mdXNpb24uYm9ubmllcnRpZHNrcmlmdGVyLnNlL2V2ZW50L3VlZXVqL2J0LmVrb25vbWkucGFmLnJvcy8xNDc3OTkyNzcvY2xpY2s_dXJsPQ&bWlkPTk3ODMxJmN0dXJsPWh0dHA6Ly9mdXNpb24uYm9ubmllcnRpZHNrcmlmdGVyLnNlL2V2ZW50L3lydmd2L2J0LmVrb25vbWkucGFmLnJvcy8xNDc3OTkyNzAvY2xpY2s_dXJsPQ&callback=_adform_cb_1459232656248_7681010355476278; > > proxy_src_ip: 192.168.6.157; product: URL Filtering; service: http; s_port: > 51104; product_family: Network; > > Mar 29 08:35:17 127.0.0.1 Mar 29 8:23:24 st4600fw01n1 block <eth6 mail > src: 192.168.6.157; dst: 152.115.75.199; proto: tcp; appi_name: ******; > app_desc: ******; app_id: 1875144601; app_category: ******; > matched_category: ******; app_properties: ******; app_risk: ******; > app_rule_id: ******; app_rule_name: ******; web_client_type: Other: > Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like > Gecko; web_server_type: Other: nginx; resource: > http://adx.adform.net/adx/?rp=3&pv=1&bWlkPTk1NzMw&callback=_adform_cb_1459232497393_6046677836175733; > > proxy_src_ip: 192.168.6.157; product: URL Filtering; service: http; s_port: > 50904; product_family: Network; > > > > > Mar 30 10:04:39 127.0.0.1 redirect <eth1 alert web_client_type: Chrome; > resource: > http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html; > src: 192.168.5.133; dst: 172.226.217.148; proto: tcp; session_id: > {0x56fb8896,0x10009,0xc50d2e0a,0xc0000001}; Protection name: Check Point - > Testing Bot; malware_family: Check Point; Source OS: Windows; Confidence > Level: 5; severity: 2; malware_action: Communication with C&C site; > rule_uid: {9AF67731-0D35-4117-AF2B-9A47F9396D26}; Protection Type: URL > reputation; malware_rule_id: {000000CE-00A4-0046-9658-621EA5468654}; > protection_id: 00233CFEE; log_id: 2; proxy_src_ip: 192.168.5.133; scope: > 192.168.5.133; product: Anti Malware; service: http; s_port: 49244; > > Mar 29 20:13:14 127.0.0.1 prevent <eth1 alert web_client_type: Microsoft > IE; resource: > http://www.bing.com/fd/ls/GLinkPing.aspx?IG=9A0044152B65437D93F87086B9E730D9&&ID=SERP,5118.1&url=http://sc1.checkpoint.com/z...; > > src: 192.168.5.133; dst: 204.79.197.200; proto: tcp; session_id: > {0x56fac5ba,0x10004,0xc50d2e0a,0xc0000000}; Protection name: Check Point - > Testing Bot; malware_family: Check Point; Source OS: Windows; Confidence > Level: 5; severity: 2; malware_action: Communication with C&C site; > rule_uid: {9AF67731-0D35-4117-AF2B-9A47F9396D26}; Protection Type: URL > reputation; malware_rule_id: {000000CE-00A4-0046-9658-621EA5468654}; > protection_id: 00233CFEE; log_id: 2; proxy_src_ip: 192.168.5.133; scope: > 192.168.5.133; product: Anti Malware; service: http; s_port: 63119; > > Mar 30 9:04:59, st4600fw01n1, allow <eth6 mail src: 192.168.5.133; dst: > 207.244.85.73; proto: tcp; appi_name: ******; app_desc: ******; app_id > : 10064017; app_category: ******; matched_category: ******; > app_properties: ******; app_risk: ******; app_rule_id: ******; > app_rule_name: ******; web_client_type: Chrome; web_server_type: Apache; > app_sig_id: 10064017:2; resource: http://www.bypassthat.com/; > proxy_src_ip: 192.168.5.133; product: Application Control; service: http; > s_port: 64499; product_family: Network; > > > > Mar 30 08:55:41 127.0.0.1 Mar 30 8:49:25 < sto-fwm03 mail System Alert > message: A Firewall Policy has been successfully installed on st4600fw01n2; > Object: st4600fw01n2; Event: Change; Parameter: policy_time; Condition: > changes Tue Mar 22 11:07:17 2016; Current value: Wed Mar 30 08:39:57 2016; > product: System Monitor; product_family: Network; > > Mar 30 08:56:02 127.0.0.1 Mar 30 8:49:47 < sto-fwm03 mail System Alert > message: A Firewall Policy has been successfully installed on st4600fw01n1; > Object: st4600fw01n1; Event: Change; Parameter: policy_time; Condition: > changes Tue Mar 22 11:09:21 2016; Current value: Wed Mar 30 08:43:12 2016; > product: System Monitor; product_family: Network; > > > > On Tuesday, March 29, 2016 at 12:53:19 PM UTC+2, Jesus Linares wrote: > > Hi, > > first, I would use the same format for both messages. Two options: > > - Change log format in each device. > - Choose one: > - 1Mar2016 15:17:09 redirect st4600fw01n1 > - Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 > - This part could be your parent decoder (using regular expressions) > - Change the log received with rsyslog, for example, add a string: > - *MyFirewall *1Mar2016 15:17:09 redirect st4600fw01n1 > - So, the parent decoder will be <prematch*>^**MyFirewall > </prematch>* > > The prematch of each sub-decoder (child decoder) could be the type of log, > maybe "web_client_type" or "mail". > > What firewall are you using? Version?. > > Paste here more logs. > > Regards, > Jesus Linares > > On Thursday, March 24, 2016 at 9:47:28 PM UTC+1, Fredrik wrote: > > Hi Jesus, > > > Got sidetracked with other projects, and finally getting back to my questio > > ... -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.