I am attempting to write a decoder for the following log (it is delimited with a pipe) - I have pre-matched to "AR-LOG" and am attempting to pull out "Skype" "Logon" & the program path "c:\program files (x86)\skype\phone\skype.exe"
I am attempting to do a \.* to every | (which I have to escape), but am having trouble since besides the pipes there is no other literal characters I can tie into. Any thoughts or comments on a way forward? I do have the ability to modify these logs before they are processed through OSSEC. *2016 May 20 16:39:21 (DD-C-PROD) 192.168.1.18->ar-normalized.log AR-LOG|DD-RE2|05/20/2016 12:39:00|4/8/2016 4:42 PM|HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Skype|enabled|Logon|DD-RE2\ddadmin|Skype |Skype Technologies S.A.|c:\program files (x86)\skype\phone\skype.exe|7.22.85.109|""C:\Program Files (x86)\Skype\Phone\Skype.exe"" /minimized /regrun|1DBD44E4C19F6EC1665A89ABC884DF56|ADC1CF4AD8C6F944E31E4649BE16B186EE19D793|BCC10DF9F36B1727DBA310827CC2A6AC5C9B0D4D|1DA131F21C1A7BAF8C70272FCE5E4288E021CB434D12A28784344E02CBEA3BFA|169D5B005368A12B6F499F7B655540884BD47D872D74AAD73CD035356DA148A9|A9159194FEF672CA050D5D2DC9E64017* -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
