[ossec-list] Trouble writing Custom decoder - v2.9.0 RC3

Tue, 18 Oct 2016 02:44:16 -0700 

Hello,

I'm having some trouble writing my own custom decoder for something that 
appears to be very simple (doesn't it always :p).

The log line in question is:
Oct 17 11:54:10 MY-SERV-01 ovpn-user-server[11780]: 10.40.160.21:62467 
[NAME Surname] Peer Connection Initiated with [AF_INET]10.40.160.21:62467 
(via [AF_INET]10.40.160.254%eth0.180)

*I've followed the tutorial online and have currently written the following 
decoders as a test:*

<decoder name="openvpn">
   <program_name>ovpn-user-server</program_name>
</decoder>

<decoder name="openvpn-ip-user">
   <parent>openvpn</parent>
   <prematch offset="after_parent">^\S+:\d+</prematch>
   <regex>^(\S+):(\d+)\s(.+)\sPeer Connection</regex>
   <order>srcip,srcport,srcuser</order>
</decoder>

I've tried all kind of combinations of "after_parent", "after_prematch", 
just tried matching on \.* etc, none of this seems to work. 

*All I get with logtest is:*
Oct 17 11:54:10 MY-SERV-01 ovpn-user-server[11780]: 10.40.160.21:62467 
[NAME Surname] Peer Connection Initiated with [AF_INET]10.40.160.21:62467 
(via [AF_INET]10.40.160.254%eth0.180)


**Phase 1: Completed pre-decoding.
       full event: 'Oct 17 11:54:10 MY-SERV-01 ovpn-user-server[11780]: 
10.40.160.21:62467 [NAME Surname] Peer Connection Initiated with 
[AF_INET]10.40.160.21:62467 (via [AF_INET]10.40.160.254%eth0.180)'
       hostname: 'MY-SERV-01'
       program_name: 'ovpn-user-server'
       log: '10.40.160.21:62467 [NAME Surname] Peer Connection Initiated 
with [AF_INET]10.40.160.21:62467 (via [AF_INET]10.40.160.254%eth0.180)'

**Phase 2: Completed decoding.
       decoder: 'openvpn'

And finally
    Trying rule: 81803 - OpenVPN: Connection Certificate Failed
    Trying rule: 81801 - OpenVPN: User logged in
       *Rule 81801 matched.
       *Trying child rules.
    Trying rule: 81802 - OpenVPN: Concurrent connections

**Phase 3: Completed filtering (rules).
       Rule id: '81801'
       Level: '3'
       Description: 'OpenVPN: User logged in'
**Alert to be generated.

So I can see that my alert is properly generated, but only decoded as being 
openvpn and doesn't include any of the extra fields. 

I'm kinda lost at this moment and feel like I'm missing something stupid. 
Thank you for your assistance.

Kind regards

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to