Local decoder help

30 views
Skip to first unread message

Phil Daws

unread,
Dec 11, 2012, 1:12:48 AM12/11/12
to ossec...@googlegroups.com
Hello:

am attempting to write a local decoder for Asterisk and cannot get the syntax correct. The log line appears as:

[Dec 10 19:47:47] NOTICE[23927][C-00000013] chan_sip.c: Call from '' (NNN.NNN.NNN.NNN:9202) to extension 'NNNNNNNNNNNNN' rejected because extension not found in context 'XXXXXXXXXXX'.

and I have tried the following decoder:

<decoder name="local-asterisk-registration">
<prematch>NOTICE[\d+] \S+: Call from \S+ \((\d+.\d+.\d+.\d+):\d+\) </prematch>
<regex offset="after_prematch">to extension \S+ rejected because extension not found in context</regex>
<order>srcip</order>
</decoder>

this never matches and am wondering whether it is due to the '(' around the source IP ?

Any help appreciated.

Scott Nelson

unread,
Dec 11, 2012, 10:21:54 AM12/11/12
to ossec...@googlegroups.com
You missed something: after 'NOTICE[23927]' there is '[C-0000013] chan_sip.c:' which is not in your prematch.

In my "Guide to gooder grammer", I had a rule: "Proofread your writing to see if you any words out".

dan (ddp)

unread,
Dec 11, 2012, 4:52:01 PM12/11/12
to ossec...@googlegroups.com
<decoder name="stuff">
<prematch>^[\S+ \d\d \d\d:\d\d:\d\d] NOTICE[\d+][\S+] chan_sip.c: </prematch>
<regex offset="after_prematch">^Call from '' \((\S+):(\d+)\) to
extension '(\S+)' </regex>
<order>srcip, srcport, extra_data</order>
</decoder>
Reply all
Reply to author
Forward
0 new messages