HELP ME DECODE THIS LOG (check Authen)

73 views
Skip to first unread message

Khoa Phạm Anh

unread,
Sep 20, 2018, 7:43:51 AM9/20/18
to ossec-list
Hi Everybody, after I use log-test with these log but no result, please anyone help me decode this!!!

POP3:
2018-08-26T00:00:03.269Z,00000000000EE085,2,xxx.xxx.xxx.4:995,xxx.xxx.xxx.234:50956,ngapt,2,10,56,pass,*****,"R=""-ERR Logon failure: unknown user name or bad password."";Msg=LogonFailed:LogonDenied;ErrMsg=LogonFailed:LogonDenied"

Imap4:
2018-08-25T00:01:41.052Z,00000000000187EB,2,xxx.xxx.xxx.4:993,xxx.xxx.xxx.5:52332,trunghq,706,26,26,login,trunghq *****,"R=ok;Msg=""Proxy:DOMAIN.NAME:9933:SSL;ProxySuccess"";ActivityContextData=acf5cf60-96e0-4d4e-a6b6-1ff897e8148a"

Yana Zaeva

unread,
Mar 3, 2022, 7:54:08 AM3/3/22
to ossec-list

Hi,

My apologies for the late response. You could start creating decoders following this example:

<decoder name="ossec_custom">
 <prematch>^\w+,\w+,\w+.</prematch>
</decoder>

<decoder name="ossec_custom_child">
 <parent>ossec_custom</parent>
 <regex>\w+,(\w+),(\w+.\w+.\w+.\w+):(\d+),</regex>
 <order>info, srcip, srcport</order>
</decoder>

<decoder name="ossec_custom_child">
 <parent>ossec_custom</parent>
 <regex offset="after_regex">(\w+.\w+.\w+.\w+):(\d+),(\w+),</regex>
 <order>dstip, dstport, user</order>
</decoder>

Ossec logtest output:

Type one log per line

2018-08-26T00:00:03.269Z,00000000000EE085,2,xxx.xxx.xxx.4:995,xxx.xxx.xxx.234:50956,ngapt,2,10,56,pass,*****,"R=""-ERR Logon failure: unknown user name or bad password."";Msg=LogonFailed:LogonDenied;ErrMsg=LogonFailed:LogonDenied"

**Phase 1: Completed pre-decoding.
        full event: '2018-08-26T00:00:03.269Z,00000000000EE085,2,xxx.xxx.xxx.4:995,xxx.xxx.xxx.234:50956,ngapt,2,10,56,pass,*****,"R=""-ERR Logon failure: unknown user name or bad password."";Msg=LogonFailed:LogonDenied;ErrMsg=LogonFailed:LogonDenied"'
        timestamp: '2018-08-26T00:00:03.269Z,000000'

**Phase 2: Completed decoding.
        name: 'ossec_custom'
        dstip: 'xxx.xxx.xxx.234'
        dstport: '50956'
        dstuser: 'ngapt'
        info: '2'
        srcip: 'xxx.xxx.xxx.4'
        srcport: '995'

Also, I would like to leave here some links that you might find helpful:

Hope this was helpful. Let me know if you need anything else.

Regards,
Yana.

Reply all
Reply to author
Forward
0 new messages