netscreen logs

8 views
Skip to first unread message

Tom Bicer

unread,
Aug 20, 2007, 7:57:51 PM8/20/07
to ossec...@ossec.net
I've been trying to get ossec work with netscreen logs. I'm unable to figure out why only device name ns5gt works.
Replacing that name with any other valid device name in decoder.xml doesn't produce any records in firewall.log
I also tried completely removing program_name and just leaving prematch, it still doesn't produce any entries in firewall.log
I'd appreciate any suggestions anyone may have.
Tom
 

Daniel Cid

unread,
Aug 20, 2007, 9:55:27 PM8/20/07
to ossec...@googlegroups.com
Hi Tom,

Can you send some log samples to us? Our decoder looks for:

<decoder name="netscreenfw">
<program_name>^sav00|^ns5gt</program_name>
<prematch>^NetScreen device_id</prematch>
</decoder>

Probably that's why it only works with ns5gt. However, we were told
this would be
present in all netscreen logs, so if that is different, let us know.

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

bice...@gmail.com

unread,
Aug 21, 2007, 5:00:33 PM8/21/07
to ossec-list
log samples sent.
I've modified decoder in numerous ways and was unable to obtain
results.
Tom.

On Aug 20, 9:55 pm, "Daniel Cid" <daniel....@gmail.com> wrote:
> Hi Tom,
>
> Can you send some log samples to us? Our decoder looks for:
>
> <decoder name="netscreenfw">
> <program_name>^sav00|^ns5gt</program_name>
> <prematch>^NetScreen device_id</prematch>
> </decoder>
>
> Probably that's why it only works with ns5gt. However, we were told
> this would be
> present in all netscreen logs, so if that is different, let us know.
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>

> On 8/20/07, Tom Bicer <bicer....@gmail.com> wrote:
>
>
>
> > I've been trying to get ossec work with netscreen logs. I'm unable to figure
> > out why only device name ns5gt works.
> > Replacing that name with any other valid device name in decoder.xml doesn't
> > produce any records in firewall.log
> > I also tried completely removing program_name and just leaving prematch, it
> > still doesn't produce any entries in firewall.log
> > I'd appreciate any suggestions anyone may have.

> > Tom- Hide quoted text -
>
> - Show quoted text -

Daniel Cid

unread,
Aug 21, 2007, 8:16:08 PM8/21/07
to ossec...@googlegroups.com
Hi Tom,

Thanks for the logs. I really appreciated it. Just change the program name to:

<program_name />

And it will work. I also made this change on CVS for our next releases...

Thanks!

--
Daniel B. Cid
dcid ( at ) ossec.net

bice...@gmail.com

unread,
Aug 22, 2007, 5:56:28 PM8/22/07
to ossec-list
Daniel,
Let's assume I completely remove <program_name />
should it still work?

On Aug 21, 8:16 pm, "Daniel Cid" <d...@ossec.net> wrote:
> Hi Tom,
>
> Thanks for the logs. I really appreciated it. Just change the program name to:
>
> <program_name />
>
> And it will work. I also made this change on CVS for our next releases...
>
> Thanks!
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>

> > > - Show quoted text -- Hide quoted text -

Reply all
Reply to author
Forward
0 new messages