Hi, so iam working on decoder for sophos UTM. I have written part of decoder, it passes ossec-regex but fail ossec-logtest.
Here is log that iam tying to parse: May 13 15:30:37 10.169.200.70 2016:05:13-15:30:38 sophos-dc-1 httpproxy[6896 ]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.10.10.10" dstip="10.10.10.20" And here is my decoder: <decoder name="sophos_data_format"> <prematch>^\w+\s+\d+ \d\d:\d\d:\d\d \d+.\d+.\d+.\d+ \d\d\d\d:\d\d:\d\d-\d\d:\d\d:\d\d </prematch> </decoder> <decoder name="httpproxy"> <parent>sophos_data_format</parent> <regex offset="after_parent">^(\S+) httpproxy[\d+]: id="\d+" severity="\w+" sys="\w+" sub="\w+" name="\.+" action="(\w+)" method="\w+" srcip="(\S+)" dstip="(\S*)"</regex> <order>url,action,srcip,dstip</order> </decoder> But for some reason, decoder working only if log starts like this: May 1 15:30:37 10.169.200.70 2016:05:13-15:30:38 sophos-dc-1 httpproxy[6896 ]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.10.10.10" dstip="10.10.10.20" And NOT working for these formats: May 1 15:30:37 10.169.200.70 2016:05:13-15:30:38 sophos-dc-1 httpproxy[6896 ]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.10.10.10" dstip="10.10.10.20" May 11 15:30:37 10.169.200.70 2016:05:13-15:30:38 sophos-dc-1 httpproxy[6896 ]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.10.10.10" dstip="10.10.10.20" As i was saying, ossec-regex will return OK for all of this formats, but ossec-logtest return OK online for first. Can you help me please ? Thanks in advanced. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
