Hi Josh,
try with this decoder:
<decoder name="arlog">
<prematch>^AR-LOG</prematch>
</decoder>
<decoder name="arlog-skype">
<parent>arlog</parent>
<regex offset="after_parent">
\|\.+\|\.+\|\.+\|\.+\|(\S+)\|\.+\|(\S+)\|\S+\|\.+\|\.+\|(\.+)\|</regex>
<order>id,action,url</order>
</decoder>
ossec-logtest:
AR-LOG|DD-RE2|05/20/2016 12:39:00|4/8/2016 4:42 PM|HKCU\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run|Skype|enabled|Logon|DD-RE2\ddadmin|Skype |Skype
Technologies S.A.|c:\program files (x86)\skype\phone\skype.exe|7.22.85.109|
""C:\Program Files (x86)\Skype\Phone\Skype.exe"" /minimized /regrun|
1DBD44E4C19F6EC1665A89ABC884DF56|ADC1CF4AD8C6F944E31E4649BE16B186EE19D793|
BCC10DF9F36B1727DBA310827CC2A6AC5C9B0D4D|
1DA131F21C1A7BAF8C70272FCE5E4288E021CB434D12A28784344E02CBEA3BFA|
169D5B005368A12B6F499F7B655540884BD47D872D74AAD73CD035356DA148A9|
A9159194FEF672CA050D5D2DC9E64017
**Phase 1: Completed pre-decoding.
full event: 'AR-LOG|DD-RE2|05/20/2016 12:39:00|4/8/2016 4:42
PM|HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Skype|enabled|Logon|DD-RE2\ddadmin|Skype
|Skype Technologies S.A.|c:\program files
(x86)\skype\phone\skype.exe|7.22.85.109|""C:\Program Files
(x86)\Skype\Phone\Skype.exe"" /minimized
/regrun|1DBD44E4C19F6EC1665A89ABC884DF56|ADC1CF4AD8C6F944E31E4649BE16B186EE19D793|BCC10DF9F36B1727DBA310827CC2A6AC5C9B0D4D|1DA131F21C1A7BAF8C70272FCE5E4288E021CB434D12A28784344E02CBEA3BFA|169D5B005368A12B6F499F7B655540884BD47D872D74AAD73CD035356DA148A9|A9159194FEF672CA050D5D2DC9E64017'
hostname: 'LinMV'
program_name: '(null)'
log: 'AR-LOG|DD-RE2|05/20/2016 12:39:00|4/8/2016 4:42
PM|HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Skype|enabled|Logon|DD-RE2\ddadmin|Skype
|Skype Technologies S.A.|c:\program files
(x86)\skype\phone\skype.exe|7.22.85.109|""C:\Program Files
(x86)\Skype\Phone\Skype.exe"" /minimized
/regrun|1DBD44E4C19F6EC1665A89ABC884DF56|ADC1CF4AD8C6F944E31E4649BE16B186EE19D793|BCC10DF9F36B1727DBA310827CC2A6AC5C9B0D4D|1DA131F21C1A7BAF8C70272FCE5E4288E021CB434D12A28784344E02CBEA3BFA|169D5B005368A12B6F499F7B655540884BD47D872D74AAD73CD035356DA148A9|A9159194FEF672CA050D5D2DC9E64017'
**Phase 2: Completed decoding.
decoder: 'arlog'
id: 'Skype'
action: 'Logon'
url: 'c:\program files (x86)\skype\phone\skype.exe'
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '0'
Description: 'Unknown problem somewhere in the system.'
I hope it helps.
Regards,
Jesus Linares.
On Saturday, May 21, 2016 at 1:14:04 PM UTC+2, DefensiveDepth wrote:
>
> I am attempting to write a decoder for the following log (it is delimited
> with a pipe) - I have pre-matched to "AR-LOG" and am attempting to pull out
> "Skype" "Logon" & the program path "c:\program files
> (x86)\skype\phone\skype.exe"
>
> I am attempting to do a \.* to every | (which I have to escape), but am
> having trouble since besides the pipes there is no other literal characters
> I can tie into. Any thoughts or comments on a way forward? I do have the
> ability to modify these logs before they are processed through OSSEC.
>
>
> *2016 May 20 16:39:21 (DD-C-PROD) 192.168.1.18->ar-normalized.log
> AR-LOG|DD-RE2|05/20/2016 12:39:00|4/8/2016 4:42
> PM|HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Skype|enabled|Logon|DD-RE2\ddadmin|Skype
>
> |Skype Technologies S.A.|c:\program files
> (x86)\skype\phone\skype.exe|7.22.85.109|""C:\Program Files
> (x86)\Skype\Phone\Skype.exe"" /minimized
> /regrun|1DBD44E4C19F6EC1665A89ABC884DF56|ADC1CF4AD8C6F944E31E4649BE16B186EE19D793|BCC10DF9F36B1727DBA310827CC2A6AC5C9B0D4D|1DA131F21C1A7BAF8C70272FCE5E4288E021CB434D12A28784344E02CBEA3BFA|169D5B005368A12B6F499F7B655540884BD47D872D74AAD73CD035356DA148A9|A9159194FEF672CA050D5D2DC9E64017*
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
