Hi,
My apologies for the late response. You could start creating decoders
following this example:
<decoder name="ossec_custom">
<prematch>^\w+,\w+,\w+.</prematch>
</decoder>
<decoder name="ossec_custom_child">
<parent>ossec_custom</parent>
<regex>\w+,(\w+),(\w+.\w+.\w+.\w+):(\d+),</regex>
<order>info, srcip, srcport</order>
</decoder>
<decoder name="ossec_custom_child">
<parent>ossec_custom</parent>
<regex offset="after_regex">(\w+.\w+.\w+.\w+):(\d+),(\w+),</regex>
<order>dstip, dstport, user</order>
</decoder>
Ossec logtest output:
Type one log per line
2018-08-26T00:00:03.269Z,00000000000EE085,2,xxx.xxx.xxx.4:995,xxx.xxx.xxx.234:50956,ngapt,2,10,56,pass,*****,"R=""-ERR
Logon failure: unknown user name or bad
password."";Msg=LogonFailed:LogonDenied;ErrMsg=LogonFailed:LogonDenied"
**Phase 1: Completed pre-decoding.
full event:
'2018-08-26T00:00:03.269Z,00000000000EE085,2,xxx.xxx.xxx.4:995,xxx.xxx.xxx.234:50956,ngapt,2,10,56,pass,*****,"R=""-ERR
Logon failure: unknown user name or bad
password."";Msg=LogonFailed:LogonDenied;ErrMsg=LogonFailed:LogonDenied"'
timestamp: '2018-08-26T00:00:03.269Z,000000'
**Phase 2: Completed decoding.
name: 'ossec_custom'
dstip: 'xxx.xxx.xxx.234'
dstport: '50956'
dstuser: 'ngapt'
info: '2'
srcip: 'xxx.xxx.xxx.4'
srcport: '995'
Also, I would like to leave here some links that you might find helpful:
- Creating custom decoders
<https://documentation.wazuh.com/current/user-manual/ruleset/custom.html>
.
- Decoders syntax.
<https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html>
Hope this was helpful. Let me know if you need anything else.
Regards,
Yana.
On Thursday, September 20, 2018 at 1:43:51 PM UTC+2 [email protected]
wrote:
> Hi Everybody, after I use log-test with these log but no result, please
> anyone help me decode this!!!
>
> POP3:
> 2018-08-26T00:00:03.269Z,00000000000EE085,2,xxx.xxx.xxx.4:995,xxx.xxx.xxx.234:50956,ngapt,2,10,56,pass,*****,"R=""-ERR
>
> Logon failure: unknown user name or bad
> password."";Msg=LogonFailed:LogonDenied;ErrMsg=LogonFailed:LogonDenied"
>
> Imap4:
> 2018-08-25T00:01:41.052Z,00000000000187EB,2,xxx.xxx.xxx.4:993,xxx.xxx.xxx.5:52332,trunghq,706,26,26,login,trunghq
>
> *****,"R=ok;Msg=""Proxy:DOMAIN.NAME:9933:SSL;ProxySuccess"";ActivityContextData=acf5cf60-96e0-4d4e-a6b6-1ff897e8148a"
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/c9c13568-bea7-4c33-8283-b0a4d42f27f1n%40googlegroups.com.
