Hey guys!
I made a decoder for pfSense, but it is not being recognized by ossec.
Follow the decoder with a log sample:
<!-- Nov 7 12:37:34 pfSense filterlog:
5,,,1000102433,em0,match,block,in,4,0x0,,128,24677,0,none,17,udp,186,10.9.0.119,10.9.0.255,17500,17500,166
-->
<decoder name="pfsense">
<program_name>pfsense</program_name>
</decoder>
<decoder name="pfsense">
<prematch>^\w+ \d+ \d+:\d+:\d+ pfSense |\w+ \d+ \d+:\d+:\d+ pfSense
</prematch>
</decoder>
<decoder name="pfsense_filter">
<parent>pfsense</parent>
<regex offset="after_parent">^filterlog:
\d+,,,\d+,\S+,\w+,\w+,\w+,\d+,\S+,,\d+,\d+,\d+,none,\d+,udp,\d+,(\d+.\d+.\d+.\d+),(\d+.\d+.\d+.\d+),\d+,\d+,\d+$</regex>
<order>srcip, dstip</order>
</decoder>
I put it in the folder of the decoders and tested with the ossec-logtest,
follow the output:
I'd like to know what's wrong.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
