Custom Decoder
24 views
Skip to first unread message
Diego S
Oct 11, 2019, 11:49:21 AM10/11/19
to ossec-list
Hi everyone!
I wondering if we already have on ossec a custom decoder acording to this kind of log to get the red values.
1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO, SECURITY, diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI, ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info: Successful login attempt via REMOTE, IP Addr: pivonox.prod.pci.elan.red.com.uy.
I tried to do a custom one, but without success.
I let you here what ive did.
This one is getting the "1022 Audit" for discriminate the one i need to the rest.
<decoder name="Brocade-format">
<prematch>^\d+\s\w\w\w\w</prematch>
</decoder>
.
And here is when im trying to get the underlined red values at the begining of the text but im not sure:
-The type of the log i have to use or if it is necesary
-The "order" value i have tho use to take this both red values.
-The structure of the decoder.
<decoder name="Brocade-login">
<parent>Brocade-format</parent>
<type>---------</type>
<regex offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:d\d:d\d\s\(\w+\),\s\p\w\w\w-\w\w\w\w\p,\s\w+,\s(\w+),\w+/\w+/\w+/\w+(/\w+),\.*</regex>
<order>---------</order>
</decoder>
Thanks and Regards!
dan (ddp)
Oct 11, 2019, 12:07:10 PM10/11/19
to ossec...@googlegroups.com
On Fri, Oct 11, 2019 at 11:49 AM Diego S <rabi...@gmail.com> wrote:
>
> Hi everyone!
>
> I wondering if we already have on ossec a custom decoder acording to this kind of log to get the red values.
>
> 1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO, SECURITY, diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI, ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info: Successful login attempt via REMOTE, IP Addr: pivonox.prod.pci.elan.red.com.uy.
>
Running this through ossec-logtest gives me this:
>
> Hi everyone!
>
> I wondering if we already have on ossec a custom decoder acording to this kind of log to get the red values.
>
> 1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO, SECURITY, diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI, ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info: Successful login attempt via REMOTE, IP Addr: pivonox.prod.pci.elan.red.com.uy.
>
**Phase 1: Completed pre-decoding.
full event: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020],
INFO, SECURITY,
diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
Successful login attempt via REMOTE, IP Addr:
pivonox.prod.pci.elan.red.com.uy.'
diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
Successful login attempt via REMOTE, IP Addr:
hostname: 'ix'
program_name: '(null)'
log: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO,
SECURITY, diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
Successful login attempt via REMOTE, IP Addr:
pivonox.prod.pci.elan.red.com.uy.'
ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
Successful login attempt via REMOTE, IP Addr:
**Phase 2: Completed decoding.
decoder: 'squid-accesslog'
**Phase 3: Completed filtering (rules).
Rule id: '35000'
Level: '0'
Description: 'Squid messages grouped.'
I get the same output with and without your custom decoder. You'll
need to put your decoder before the squid decoder.
>
> I tried to do a custom one, but without success.
>
>
> I let you here what ive did.
>
>
>
> This one is getting the "1022 Audit" for discriminate the one i need to the rest.
>
>
> <decoder name="Brocade-format">
>
> <prematch>^\d+\s\w\w\w\w</prematch>
>
> </decoder>
>
>
> .
>
>
> And here is when im trying to get the underlined red values at the begining of the text but im not sure:
>
>
> -The type of the log i have to use or if it is necesary
>
> -The "order" value i have tho use to take this both red values.
>
> -The structure of the decoder.
>
>
> <decoder name="Brocade-login">
>
> <parent>Brocade-format</parent>
>
> <type>---------</type>
>
> <regex offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:d\d:d\d\s\(\w+\),\s\p\w\w\w-\w\w\w\w\p,\s\w+,\s(\w+),\w+/\w+/\w+/\w+(/\w+),\.*</regex>
>
> <order>---------</order>
>
> </decoder>
>
>
>
> Thanks and Regards!
>
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/6d13f649-698c-41bf-b386-08602e9b2f80%40googlegroups.com.
dan (ddp)
Oct 11, 2019, 12:34:30 PM10/11/19
to ossec...@googlegroups.com
I'm sure it can be cleaned up a lot
I put this before the squid-accesslog decoder in decoder.xml:
<decoder name="Brocade-format">
<prematch>^\d+\s\w\w\w\w\w, </prematch>
</decoder>
<order>user,second</order>
</decoder>
Now I get the following output:
dstuser: 'diego.gonzales'
second: '/ssh/CLI'
I'm sure it can be cleaned up a lot, and using pcre2 might make it even better.
<decoder name="Brocade-format">
<prematch>^\d+\s\w\w\w\w\w, </prematch>
</decoder>
<decoder name="Brocade-login">
<parent>Brocade-format</parent>
<!--<regex offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:d\d:d\d\s\(\w+\),\s\p\w\w\w-\w\w\w\w\p,\s\w+,\s(\w+),\w+/\w+/\w+/\w+(/\w+),\.*</regex>-->
<parent>Brocade-format</parent>
<regex offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d
\(\S+\), \[\S+\], \S+, \S+, (\S+)/\S+(/\w+/\S+),</regex>
<order>user,second</order>
</decoder>
Now I get the following output:
**Phase 1: Completed pre-decoding.
full event: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020],
INFO, SECURITY,
diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
Successful login attempt via REMOTE, IP Addr:
pivonox.prod.pci.elan.red.com.uy.'
hostname: 'ix'
program_name: '(null)'
log: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO,
SECURITY, diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
Successful login attempt via REMOTE, IP Addr:
pivonox.prod.pci.elan.red.com.uy.'
**Phase 2: Completed decoding.
decoder: 'Brocade-format'
full event: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020],
INFO, SECURITY,
diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
Successful login attempt via REMOTE, IP Addr:
pivonox.prod.pci.elan.red.com.uy.'
hostname: 'ix'
program_name: '(null)'
log: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO,
SECURITY, diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
Successful login attempt via REMOTE, IP Addr:
pivonox.prod.pci.elan.red.com.uy.'
**Phase 2: Completed decoding.
dstuser: 'diego.gonzales'
second: '/ssh/CLI'
I'm sure it can be cleaned up a lot, and using pcre2 might make it even better.
Diego S
Oct 11, 2019, 1:41:34 PM10/11/19
to ossec...@googlegroups.com
Thnaks you very much for your response.
Let me know if am i wrong. The decoder will be like this:
<decoder name="Brocade-format">
<prematch>^\d+\s\w\w\w\w\w, </prematch>
</decoder>
<decoder name="Brocade-login">
<parent>Brocade-format</parent>
<prematch>^\d+\s\w\w\w\w\w, </prematch>
</decoder>
<decoder name="Brocade-login">
<parent>Brocade-format</parent>
<regex offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d \(\S+\), \[\S+\], \S+, \S+, /S+)/\S+(/\w+/\S+),</regex>
<order>user,second</order>
</decoder>
<decoder name="squid-accesslog">
<type>squid</type>
<prematch>^\d+ \S+ </prematch>
<regex>^\d+ (\S+) (\w+)/(\d+) \d+ \w+ (\S+) </regex>
<order>srcip,action,id,url</order>
</decoder>
But im getting a syntax error and i dont know why or where.
</decoder>
<decoder name="squid-accesslog">
<type>squid</type>
<prematch>^\d+ \S+ </prematch>
<regex>^\d+ (\S+) (\w+)/(\d+) \d+ \w+ (\S+) </regex>
<order>srcip,action,id,url</order>
</decoder>
But im getting a syntax error and i dont know why or where.
2019/10/11 12:05:07 ossec-analysisd(1450): ERROR: Syntax error on regex: '^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d\(\S+\), \[\S+\], \S+, \S+, (\S+)/\S+(/\w+/\S+)': 6.
Thanks and regards!
Thanks and regards!
dan (ddp)
Oct 11, 2019, 1:51:38 PM10/11/19
to ossec...@googlegroups.com
> Thanks and regards!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAGQH4FLk08YBG4NhaVQ9vG-nB-zF2%2Bo1GwnxSSvRbE62MGH2qA%40mail.gmail.com.
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
Diego S
Oct 11, 2019, 2:03:03 PM10/11/19
to ossec...@googlegroups.com
Im using 2.0 version.
Im not able to find the syntax error.
Thanks!
To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMpCiBxvjLv5_memm7H%2BFPO4JTeiKGDLqpw72f8RA6dvMw%40mail.gmail.com.
dan (ddp)
Oct 12, 2019, 8:12:51 AM10/12/19
to ossec...@googlegroups.com
On Fri, Oct 11, 2019 at 2:03 PM Diego S <rabi...@gmail.com> wrote:
Im using 2.0 version.
2.0 is ancient. Not much I can do to help with that.
To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAGQH4F%2BqTDKSiMJXBtCWmewR2SR1oDRiTpTwQBB%3Dm21mQrs-Ag%40mail.gmail.com.
Diego S
Oct 14, 2019, 9:54:07 AM10/14/19
to ossec...@googlegroups.com
Hi!
i tried with a updated version and im still getting the same error :S
To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMrEQhqC%3D5_ggxQkf8hLExg3iJVG77b9xxp4_YmTB-jt8A%40mail.gmail.com.
dan (ddp)
Oct 14, 2019, 9:56:21 AM10/14/19
to ossec...@googlegroups.com
On Mon, Oct 14, 2019 at 9:54 AM Diego S <rabi...@gmail.com> wrote:
>
> Hi!
>
> i tried with a updated version and im still getting the same error :S
>
That's Wazuh. I don't know enough about their project to help.
>
> Hi!
>
> i tried with a updated version and im still getting the same error :S
>
Diego S
Oct 14, 2019, 10:11:15 AM10/14/19
to ossec...@googlegroups.com
Sorry, my bad Dan, thanks anyways, i have a start point now.
Regards!
To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMpafeA_0FcmJ5jc%2BtfpiE79FjdbGgApzTVVANCCQpCAYQ%40mail.gmail.com.
Juan Carlos Tello
Oct 14, 2019, 10:48:49 AM10/14/19
to ossec-list
Hi Diego,
The issue seems to be the regular expression.
It seems the correct syntax would be:
<decoder name="Brocade-login">
<parent>Brocade-format</parent>
<regex offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d \(\S+\), [\S+], \S+, \S+, (\.+)/\S+/(\.+),</regex>
<order>user,second</order>
</decoder>
Note that / , [ and ] characters are not escaped, and that the criteria for extracting fields has been optimized.
Although the issue was with the regular expression, which uses the same interpreter than OSSEC, it is true that the behavior is not the same as with ossec, so I do recommend using the Wazuh mailing list for queries related to Wazuh.
Best Regards,
Juan Carlos Tello>>>> > To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.
>>>> > To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAGQH4FLk08YBG4NhaVQ9vG-nB-zF2%2Bo1GwnxSSvRbE62MGH2qA%40mail.gmail.com.
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.
>>>>
>>>> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMpCiBxvjLv5_memm7H%2BFPO4JTeiKGDLqpw72f8RA6dvMw%40mail.gmail.com.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.
>>> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAGQH4F%2BqTDKSiMJXBtCWmewR2SR1oDRiTpTwQBB%3Dm21mQrs-Ag%40mail.gmail.com.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMrEQhqC%3D5_ggxQkf8hLExg3iJVG77b9xxp4_YmTB-jt8A%40mail.gmail.com.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAGQH4FLLsptFocLfeLdZ0vLnCKVN_RkWVA5EbJPs_X2SVQytwQ%40mail.gmail.com.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.
Diego S
Oct 14, 2019, 2:35:36 PM10/14/19
to ossec...@googlegroups.com
Thanks Juan! its working now.
I did wrong forum enter!
Regards,
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/b91bc177-aa8b-4f15-9b6c-41421ae373fe%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages