[ossec-list] Decoder with parent and two prematches for avira virus software

Tue, 07 Feb 2017 03:29:05 -0800 

I would like to write a decoder for a logfile with entries of the following 
kind:


27.01.2017,09:06:17 [INFO] Engine-Version:  8.3.42.156
27.01.2017,09:06:17 [INFO] VDF-Version:  8.12.150.34
27.01.2017,09:06:17 [INFO] APC-Version:  2.7.1.3
27.01.2017,09:06:17 [INFO] RDF-Version:  14.0.5.76
27.01.2017,09:06:17 [INFO] Echtzeit-Scanner-Version: 15.00.24.143
27.01.2017,09:06:18 [INFO] [ACP] Load Avira Communication Protocol and 
initialize message broker
27.01.2017,09:06:18 [INFO] [ACP] Publish the ACP activity resource
27.01.2017,09:06:18 [INFO] [ACP] Start of the ACP message broker is triggered
27.01.2017,09:06:18 [INFO] Verwendete Konfiguration der Echtzeit-Scanner:
      - Geprüfte Dateien: Dateien von lokalen Laufwerken prüfen
      - Geprüfte Dateien: Dateierweiterungsliste verwenden: .386 .?HT* .ACM 
.ADE .ADP .ANI .APK .APP .ASD .ASF .ASP .ASX .AWX .AX .BAS .BAT .BIN .BOO .CDF 
.CHM .CLASS .CMD .CNV .COM .CPL .CPX .CRT .CSH .DEX .DLL .DLO .DO* .DRV .EMF 
.EML .EXE* .FAS .FLT .FOT .HLP .HT* .INF .INI .INS .ISP .J2K .JAR .JFF .JFI 
.JFIF .JIF .JMH .JNG .JP2 .JPE .JPEG .JPG .JS* .JSE .LNK .LSP .MD? .MDB .MOD 
.MS? .NWS .OBJ .OCX .OLB .OSD .OV? .PCD .PDF .PDR .PGM .PHP .PIF .PKG .PL* .PNG 
.POT* .PPAM .PPS* .PPT* .PRG .RAR .REG .RPL .RTF .SBF .SCR .SCRIPT .SCT .SH 
.SHA .SHB .SHS .SHTM* .SIS .SLD? .SPL .SWF .SYS .TLB .TSP .TTF .URL .VB? .VCS 
.VLM .VXD .VXO .WIZ .WLL .WMD .WMF .WMS .WMZ .WPC .WSC .WSF .WSH .WWK .XAR .XL* 
.XML .XXX .ZIP 
      - Gerätemodus: Datei beim Öffnen durchsuchen, Datei nach Schließen 
durchsuchen
      - Aktion: Benutzer fragen
      - Archive durchsuchen: Deaktiviert
      - Makrovirenheuristik: Aktiviert
      - Win32 Dateiheuristik: Erkennungsstufe mittel
      - Protokollierungsstufe: Standard
27.01.2017,09:06:18 [INFO] Online-Dienste stehen zur Verfügung.
27.01.2017,09:17:04 [INFO] Update-Auftrag gestartet!
27.01.2017,09:17:15 [INFO] 
---------------------------------------------------------
27.01.2017,09:17:15 [INFO] Engine-Version:  8.3.42.156
27.01.2017,09:17:15 [INFO] VDF-Version:  8.12.150.78
27.01.2017,09:17:15 [INFO] APC-Version:  2.7.1.3
27.01.2017,09:17:15 [INFO] RDF-Version:  14.0.5.76
27.01.2017,09:17:15 [INFO] Echtzeit-Scanner-Version: 15.00.24.143
27.01.2017,09:27:17 [WARNUNG] Der Zugriff auf die Datei 'H:\autorun.inf' wurde 
blockiert.



Currently, I do not care about the multi-line entries.

I managed to write the following decoders, which work fine:
<decoder name="aviraInfo">
  <prematch>\d\d.\d\d.\d\d\d\d,\d\d:\d\d:\d\d [INFO]</prematch>
</decoder>
<decoder name="aviraWarnung">
  <prematch>\d\d.\d\d.\d\d\d\d,\d\d:\d\d:\d\d [WARNUNG]</prematch>
</decoder>

I would like to add a parent that matches the date and the time and two 
child-decoders that distinguish WARNUNG and INFO. However, I was 
unsuccessful with the following attempt:

<decoder name="avira">
  <prematch>\d\d.\d\d.\d\d\d\d,\d\d:\d\d:\d\d [</prematch>
</decoder>

<decoder name="aviraInfo">
  <parent>avira</parent>
  <prematch offset="after_parent">INFO</prematch>
</decoder>
<decoder name="aviraWarning">
  <parent>avira</parent>
  <prematch offset="after_parent">WARNING</prematch>
</decoder>

As a result, only the first decoder matches. How do I get this to run?
Tanks in advance!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to