HI Dan! I have updated your decoder and it worked perfectly then! Thanks so much for helping me.
Another issue that about *MS_EXCHANGE IIS LOG:* This is the all the field: #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken Here is my log: 2018-09-16 00:00:09 *xxx.xxx.31.24* POST /Microsoft-Server-ActiveSync/default.eas User=tientx&DeviceId=QKRK5NV3DP41HCERF06TESUB3S&DeviceType=iPhone&Cmd=Ping&CorrelationID=<empty>;&ClientId=G9QB9TOUIPLTQKJMZYG&cafeReqId=eda96f2b-85fd-4157-b518-0c41d1a6d39c; 443* domainname\tientx* xxx.xxx.39.89 Apple-iPhone8C1/1501.402 - 200 0 0 580557 My iis log decode now is: *<decoder name="web-accesslog-iis-default"> <parent>windows-date-format</parent> <type>web-log</type> <use_own_name>true</use_own_name> <prematch offset="after_parent">^\S+ GET |^\S+ POST</prematch> <regex offset="after_parent">^\S+ (\w+) (\S+ \S+) (\S+) \S+ (\S+) (\S+) \.*(\d\d\d) </regex> <order>action, url, srcport, srcip, user_agent, id</order></decoder>* and the Result for the log decoded above: ***Phase 2: Completed decoding. decoder: 'windows-date-format' action: 'POST' url: '/Microsoft-Server-ActiveSync/default.eas User=thangdn&DeviceId=I51HJHEMND20F9QFEPSU7LT5F8&DeviceType=iPhone&Cmd=Ping&CorrelationID=<empty>;&ClientId=ZSMLJBRL0YTICIUBVOUG&cafeReqId=83f425f6-653b-405b-b9a0-c0e51f47e21a;' srcport: '443' srcip: 'xxx.xxx.57.151' user_agent: 'Apple-iPhone10C5/1507.77' id: '200'* ===> I need to parse out the field IP *xxx.xxx.31.24* and the User: *domainname\tientx *but i failed many times. 2018-09-16 00:00:09 *xxx.xxx.31.24* POST /Microsoft-Server-ActiveSync/default.eas User=tientx&DeviceId=QKRK5NV3DP41HCERF06TESUB3S&DeviceType=iPhone&Cmd=Ping&CorrelationID=<empty>;&ClientId=G9QB9TOUIPLTQKJMZYG&cafeReqId=eda96f2b-85fd-4157-b518-0c41d1a6d39c; 443* domainname\tientx* xxx.xxx.39.89 Apple-iPhone8C1/1501.402 - 200 0 0 580557 Can you help me to check it Dan! Thanks and Best Regards Vào Th 6, 21 thg 9, 2018 vào lúc 17:55 dan (ddp) <[email protected]> đã viết: > On Fri, Sep 21, 2018 at 3:50 AM Khoa Phạm Anh <[email protected]> > wrote: > > > > Hi Dan! > > This is what i've tested result > > > > decoder: 'pop3-new' > > dstip: '00000000000187C9,2,xxx.xxx.31.24' > > dstport: '993' > > srcip: '14.187.87.216' > > srcport: '56587' > > dstuser: 'toandq,3,20,20,login,toandq' > > extra_data: 'LogonFailed:LogonDenied' > > How can I remove the sequence number befor DSTIP- the highlighted one > Dan? > > Thanks, > > > > Without seeing your decoders, it's hard to give you any direction. > Here's what I currently have: > > <decoder name="pop3-new"> > <prematch>^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d.\d+\S,\S+,\d+</prematch> > </decoder> > > <decoder name="pop3-new2"> > <parent>pop3-new</parent> > <regex offset="after_parent">^(\S+):(\d+),(\S+):(\d+),(\S+),</regex> > <order>dstip,dstport,srcip,srcport,dstuser</order> > </decoder> > > <decoder name="pop3-new2"> > <parent>pop3-new</parent> > <regex>Msg=(\S+);</regex> > <order>extra_data</order> > </decoder> > > Here's the logtest output: > **Phase 1: Completed pre-decoding. > full event: > > '2018-08-26T00:00:03.269Z,00000000000EE085,2,xxx.xxx.xxx.4:995,xxx.xxx.xxx.234:50956,ngapt,2,10,56,pass,*****,"R=""-ERR > Logon failure: unknown user name or bad > password."";Msg=LogonFailed:LogonDenied;ErrMsg=LogonFailed:LogonDenied"' > hostname: 'rossak' > program_name: '(null)' > log: > '2018-08-26T00:00:03.269Z,00000000000EE085,2,xxx.xxx.xxx.4:995,xxx.xxx.xxx.234:50956,ngapt,2,10,56,pass,*****,"R=""-ERR > Logon failure: unknown user name or bad > password."";Msg=LogonFailed:LogonDenied;ErrMsg=LogonFailed:LogonDenied"' > > **Phase 2: Completed decoding. > decoder: 'pop3-new' > dstip: 'xxx.xxx.xxx.4' > dstport: '995' > srcip: 'xxx.xxx.xxx.234' > srcport: '50956' > dstuser: 'ngapt' > extra_data: 'LogonFailed:LogonDenied' > > **Phase 3: Completed filtering (rules). > Rule id: '1002' > Level: '2' > Description: 'Unknown problem somewhere in the system.' > **Alert to be generated. > > **Phase 1: Completed pre-decoding. > full event: > > '2018-08-25T00:01:41.052Z,00000000000187EB,2,xxx.xxx.xxx.4:993,xxx.xxx.xxx.5:52332,trunghq,706,26,26,login,trunghq > *****,"R=ok;Msg=""Proxy:DOMAIN.NAME:9933 > :SSL;ProxySuccess"";ActivityContextData=acf5cf60-96e0-4d4e-a6b6-1ff897e8148a"' > hostname: 'rossak' > program_name: '(null)' > log: > '2018-08-25T00:01:41.052Z,00000000000187EB,2,xxx.xxx.xxx.4:993,xxx.xxx.xxx.5:52332,trunghq,706,26,26,login,trunghq > *****,"R=ok;Msg=""Proxy:DOMAIN.NAME:9933 > :SSL;ProxySuccess"";ActivityContextData=acf5cf60-96e0-4d4e-a6b6-1ff897e8148a"' > > **Phase 2: Completed decoding. > decoder: 'pop3-new' > dstip: 'xxx.xxx.xxx.4' > dstport: '993' > srcip: 'xxx.xxx.xxx.5' > srcport: '52332' > dstuser: 'trunghq' > extra_data: '""Proxy:DOMAIN.NAME:9933:SSL' > > The "extra_data" here probably isn't useful. You could switch the > third decoder to: > <regex>ErrMsg=(\S+);</regex> > to grab just the error message (if there is one). That won't match > anything in the IMAP log message, ut I'm not sure what you'd want from > that one anyway. > > > Vào 18:43:51 UTC+7 Thứ Năm, ngày 20 tháng 9 năm 2018, Khoa Phạm Anh đã > viết: > >> > >> Hi Everybody, after I use log-test with these log but no result, please > anyone help me decode this!!! > >> > >> POP3: > >> > 2018-08-26T00:00:03.269Z,00000000000EE085,2,xxx.xxx.xxx.4:995,xxx.xxx.xxx.234:50956,ngapt,2,10,56,pass,*****,"R=""-ERR > Logon failure: unknown user name or bad > password."";Msg=LogonFailed:LogonDenied;ErrMsg=LogonFailed:LogonDenied" > >> > >> Imap4: > >> > 2018-08-25T00:01:41.052Z,00000000000187EB,2,xxx.xxx.xxx.4:993,xxx.xxx.xxx.5:52332,trunghq,706,26,26,login,trunghq > *****,"R=ok;Msg=""Proxy:DOMAIN.NAME:9933 > :SSL;ProxySuccess"";ActivityContextData=acf5cf60-96e0-4d4e-a6b6-1ff897e8148a" > >> > >> > >> Thanks, > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
