Thanks Juan! its working now. I did wrong forum enter!
Regards, El lun., 14 oct. 2019 a las 11:48, Juan Carlos Tello (< juancarlos.te...@wazuh.com>) escribió: > Hi Diego, > The issue seems to be the regular expression. > > It seems the correct syntax would be: > <decoder name="Brocade-login"> > <parent>Brocade-format</parent> > <regex offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d > \(\S+\), [\S+], \S+, \S+, (\.+)/\S+/(\.+),</regex> > <order>user,second</order> > </decoder> > Note that / , [ and ] characters are not escaped, and that the criteria > for extracting fields has been optimized. > > Although the issue was with the regular expression, which uses the same > interpreter than OSSEC, it is true that the behavior is not the same as > with ossec, so I do recommend using the Wazuh mailing list for queries > related to Wazuh. > > Best Regards, > Juan Carlos Tello > > On Monday, October 14, 2019 at 4:11:15 PM UTC+2, Diego S wrote: >> >> Sorry, my bad Dan, thanks anyways, i have a start point now. >> >> Regards! >> >> El lun., 14 oct. 2019 a las 10:56, dan (ddp) (<ddp...@gmail.com>) >> escribió: >> >>> On Mon, Oct 14, 2019 at 9:54 AM Diego S <rabi...@gmail.com> wrote: >>> > >>> > Hi! >>> > >>> > i tried with a updated version and im still getting the same error :S >>> > >>> >>> That's Wazuh. I don't know enough about their project to help. >>> >>> > >>> > >>> > El sáb., 12 oct. 2019 a las 9:12, dan (ddp) (<ddp...@gmail.com>) >>> escribió: >>> >> >>> >> >>> >> >>> >> On Fri, Oct 11, 2019 at 2:03 PM Diego S <rabi...@gmail.com> wrote: >>> >>> >>> >>> Im using 2.0 version. >>> >> >>> >> >>> >> 2.0 is ancient. Not much I can do to help with that. >>> >> >>> >>> >>> >>> Im not able to find the syntax error. >>> >>> >>> >>> Thanks! >>> >>> >>> >>> El vie., 11 oct. 2019 a las 14:51, dan (ddp) (<ddp...@gmail.com>) >>> escribió: >>> >>>> >>> >>>> On Fri, Oct 11, 2019 at 1:41 PM Diego S <rabi...@gmail.com> wrote: >>> >>>> > >>> >>>> > Thnaks you very much for your response. >>> >>>> > Let me know if am i wrong. The decoder will be like this: >>> >>>> > >>> >>>> > <decoder name="Brocade-format"> >>> >>>> > <prematch>^\d+\s\w\w\w\w\w, </prematch> >>> >>>> > </decoder> >>> >>>> > >>> >>>> > <decoder name="Brocade-login"> >>> >>>> > <parent>Brocade-format</parent> >>> >>>> > <regex offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d >>> \(\S+\), \[\S+\], \S+, \S+, /S+)/\S+(/\w+/\S+),</regex> >>> >>>> > <order>user,second</order> >>> >>>> > </decoder> >>> >>>> > >>> >>>> > <decoder name="squid-accesslog"> >>> >>>> > <type>squid</type> >>> >>>> > <prematch>^\d+ \S+ </prematch> >>> >>>> > <regex>^\d+ (\S+) (\w+)/(\d+) \d+ \w+ (\S+) </regex> >>> >>>> > <order>srcip,action,id,url</order> >>> >>>> > </decoder> >>> >>>> > >>> >>>> > But im getting a syntax error and i dont know why or where. >>> >>>> > >>> >>>> > 2019/10/11 12:05:07 ossec-analysisd(1450): ERROR: Syntax error on >>> regex: '^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d\(\S+\), \[\S+\], \S+, \S+, >>> (\S+)/\S+(/\w+/\S+)': 6. >>> >>>> > >>> >>>> >>> >>>> I'm not sure what's wrong there. Which version of OSSEC are you >>> using? >>> >>>> >>> >>>> > Thanks and regards! >>> >>>> > >>> >>>> > -- >>> >>>> > >>> >>>> > --- >>> >>>> > You received this message because you are subscribed to the >>> Google Groups "ossec-list" group. >>> >>>> > To unsubscribe from this group and stop receiving emails from it, >>> send an email to ossec...@googlegroups.com. >>> >>>> > To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ossec-list/CAGQH4FLk08YBG4NhaVQ9vG-nB-zF2%2Bo1GwnxSSvRbE62MGH2qA%40mail.gmail.com >>> . >>> >>>> >>> >>>> -- >>> >>>> >>> >>>> --- >>> >>>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> >>>> To unsubscribe from this group and stop receiving emails from it, >>> send an email to ossec...@googlegroups.com. >>> >>>> >>> >>>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ossec-list/CAMyQvMpCiBxvjLv5_memm7H%2BFPO4JTeiKGDLqpw72f8RA6dvMw%40mail.gmail.com >>> . >>> >>> >>> >>> -- >>> >>> >>> >>> --- >>> >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> >>> To unsubscribe from this group and stop receiving emails from it, >>> send an email to ossec...@googlegroups.com. >>> >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ossec-list/CAGQH4F%2BqTDKSiMJXBtCWmewR2SR1oDRiTpTwQBB%3Dm21mQrs-Ag%40mail.gmail.com >>> . >>> >> >>> >> -- >>> >> >>> >> --- >>> >> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> >> To unsubscribe from this group and stop receiving emails from it, >>> send an email to ossec...@googlegroups.com. >>> >> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ossec-list/CAMyQvMrEQhqC%3D5_ggxQkf8hLExg3iJVG77b9xxp4_YmTB-jt8A%40mail.gmail.com >>> . >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec...@googlegroups.com. >>> > To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ossec-list/CAGQH4FLLsptFocLfeLdZ0vLnCKVN_RkWVA5EbJPs_X2SVQytwQ%40mail.gmail.com >>> . >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ossec-list/CAMyQvMpafeA_0FcmJ5jc%2BtfpiE79FjdbGgApzTVVANCCQpCAYQ%40mail.gmail.com >>> . >>> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/b91bc177-aa8b-4f15-9b6c-41421ae373fe%40googlegroups.com > <https://groups.google.com/d/msgid/ossec-list/b91bc177-aa8b-4f15-9b6c-41421ae373fe%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAGQH4FJ863zrOAVVSPS4TqBZhzrnAdCX1C7N3_v3hrJH9WXT_g%40mail.gmail.com.