On Fri, Oct 11, 2019 at 11:49 AM Diego S <[email protected]> wrote:
>
> Hi everyone!
>
> I wondering if we already have on ossec a custom decoder acording to this
> kind of log to get the red values.
>
> 1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO, SECURITY,
> diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
> ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info: Successful login
> attempt via REMOTE, IP Addr: pivonox.prod.pci.elan.red.com.uy.
>
Running this through ossec-logtest gives me this:
**Phase 1: Completed pre-decoding.
full event: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020],
INFO, SECURITY,
diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
Successful login attempt via REMOTE, IP Addr:
pivonox.prod.pci.elan.red.com.uy.'
hostname: 'ix'
program_name: '(null)'
log: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO,
SECURITY, diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
Successful login attempt via REMOTE, IP Addr:
pivonox.prod.pci.elan.red.com.uy.'
**Phase 2: Completed decoding.
decoder: 'squid-accesslog'
**Phase 3: Completed filtering (rules).
Rule id: '35000'
Level: '0'
Description: 'Squid messages grouped.'
I get the same output with and without your custom decoder. You'll
need to put your decoder before the squid decoder.
>
> I tried to do a custom one, but without success.
>
>
> I let you here what ive did.
>
>
>
> This one is getting the "1022 Audit" for discriminate the one i need to the
> rest.
>
>
> <decoder name="Brocade-format">
>
> <prematch>^\d+\s\w\w\w\w</prematch>
>
> </decoder>
>
>
> .
>
>
> And here is when im trying to get the underlined red values at the begining
> of the text but im not sure:
>
>
> -The type of the log i have to use or if it is necesary
>
> -The "order" value i have tho use to take this both red values.
>
> -The structure of the decoder.
>
>
> <decoder name="Brocade-login">
>
> <parent>Brocade-format</parent>
>
> <type>---------</type>
>
> <regex
> offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:d\d:d\d\s\(\w+\),\s\p\w\w\w-\w\w\w\w\p,\s\w+,\s(\w+),\w+/\w+/\w+/\w+(/\w+),\.*</regex>
>
> <order>---------</order>
>
> </decoder>
>
>
>
> Thanks and Regards!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/6d13f649-698c-41bf-b386-08602e9b2f80%40googlegroups.com.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/CAMyQvMo7nAub-vgNQod%3DATfMzke3WteHkaTjsR%3DfCJJLeH0QaQ%40mail.gmail.com.
