Hi Diego, The issue seems to be the regular expression. It seems the correct syntax would be: <decoder name="Brocade-login"> <parent>Brocade-format</parent> <regex offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d \(\S+\), [\S+], \S+, \S+, (\.+)/\S+/(\.+),</regex> <order>user,second</order> </decoder> Note that / , [ and ] characters are not escaped, and that the criteria for extracting fields has been optimized.
Although the issue was with the regular expression, which uses the same interpreter than OSSEC, it is true that the behavior is not the same as with ossec, so I do recommend using the Wazuh mailing list for queries related to Wazuh. Best Regards, Juan Carlos Tello On Monday, October 14, 2019 at 4:11:15 PM UTC+2, Diego S wrote: > > Sorry, my bad Dan, thanks anyways, i have a start point now. > > Regards! > > El lun., 14 oct. 2019 a las 10:56, dan (ddp) (<ddp...@gmail.com > <javascript:>>) escribió: > >> On Mon, Oct 14, 2019 at 9:54 AM Diego S <rabi...@gmail.com <javascript:>> >> wrote: >> > >> > Hi! >> > >> > i tried with a updated version and im still getting the same error :S >> > >> >> That's Wazuh. I don't know enough about their project to help. >> >> > >> > >> > El sáb., 12 oct. 2019 a las 9:12, dan (ddp) (<ddp...@gmail.com >> <javascript:>>) escribió: >> >> >> >> >> >> >> >> On Fri, Oct 11, 2019 at 2:03 PM Diego S <rabi...@gmail.com >> <javascript:>> wrote: >> >>> >> >>> Im using 2.0 version. >> >> >> >> >> >> 2.0 is ancient. Not much I can do to help with that. >> >> >> >>> >> >>> Im not able to find the syntax error. >> >>> >> >>> Thanks! >> >>> >> >>> El vie., 11 oct. 2019 a las 14:51, dan (ddp) (<ddp...@gmail.com >> <javascript:>>) escribió: >> >>>> >> >>>> On Fri, Oct 11, 2019 at 1:41 PM Diego S <rabi...@gmail.com >> <javascript:>> wrote: >> >>>> > >> >>>> > Thnaks you very much for your response. >> >>>> > Let me know if am i wrong. The decoder will be like this: >> >>>> > >> >>>> > <decoder name="Brocade-format"> >> >>>> > <prematch>^\d+\s\w\w\w\w\w, </prematch> >> >>>> > </decoder> >> >>>> > >> >>>> > <decoder name="Brocade-login"> >> >>>> > <parent>Brocade-format</parent> >> >>>> > <regex offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d >> \(\S+\), \[\S+\], \S+, \S+, /S+)/\S+(/\w+/\S+),</regex> >> >>>> > <order>user,second</order> >> >>>> > </decoder> >> >>>> > >> >>>> > <decoder name="squid-accesslog"> >> >>>> > <type>squid</type> >> >>>> > <prematch>^\d+ \S+ </prematch> >> >>>> > <regex>^\d+ (\S+) (\w+)/(\d+) \d+ \w+ (\S+) </regex> >> >>>> > <order>srcip,action,id,url</order> >> >>>> > </decoder> >> >>>> > >> >>>> > But im getting a syntax error and i dont know why or where. >> >>>> > >> >>>> > 2019/10/11 12:05:07 ossec-analysisd(1450): ERROR: Syntax error on >> regex: '^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d\(\S+\), \[\S+\], \S+, \S+, >> (\S+)/\S+(/\w+/\S+)': 6. >> >>>> > >> >>>> >> >>>> I'm not sure what's wrong there. Which version of OSSEC are you >> using? >> >>>> >> >>>> > Thanks and regards! >> >>>> > >> >>>> > -- >> >>>> > >> >>>> > --- >> >>>> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> >>>> > To unsubscribe from this group and stop receiving emails from it, >> send an email to ossec...@googlegroups.com <javascript:>. >> >>>> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/ossec-list/CAGQH4FLk08YBG4NhaVQ9vG-nB-zF2%2Bo1GwnxSSvRbE62MGH2qA%40mail.gmail.com >> . >> >>>> >> >>>> -- >> >>>> >> >>>> --- >> >>>> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> >>>> To unsubscribe from this group and stop receiving emails from it, >> send an email to ossec...@googlegroups.com <javascript:>. >> >>>> >> >>>> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ossec-list/CAMyQvMpCiBxvjLv5_memm7H%2BFPO4JTeiKGDLqpw72f8RA6dvMw%40mail.gmail.com >> . >> >>> >> >>> -- >> >>> >> >>> --- >> >>> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> >>> To unsubscribe from this group and stop receiving emails from it, >> send an email to ossec...@googlegroups.com <javascript:>. >> >>> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ossec-list/CAGQH4F%2BqTDKSiMJXBtCWmewR2SR1oDRiTpTwQBB%3Dm21mQrs-Ag%40mail.gmail.com >> . >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> an email to ossec...@googlegroups.com <javascript:>. >> >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ossec-list/CAMyQvMrEQhqC%3D5_ggxQkf8hLExg3iJVG77b9xxp4_YmTB-jt8A%40mail.gmail.com >> . >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to ossec...@googlegroups.com <javascript:>. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/ossec-list/CAGQH4FLLsptFocLfeLdZ0vLnCKVN_RkWVA5EbJPs_X2SVQytwQ%40mail.gmail.com >> . >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec...@googlegroups.com <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ossec-list/CAMyQvMpafeA_0FcmJ5jc%2BtfpiE79FjdbGgApzTVVANCCQpCAYQ%40mail.gmail.com >> . >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/b91bc177-aa8b-4f15-9b6c-41421ae373fe%40googlegroups.com.
