Hi,
My apologies for the late response. You could start creating decoders following this example:
<decoder name="ossec_custom">
<prematch>^\w+,\w+,\w+.</prematch>
</decoder>
<decoder name="ossec_custom_child">
<parent>ossec_custom</parent>
<regex>\w+,(\w+),(\w+.\w+.\w+.\w+):(\d+),</regex>
<order>info, srcip, srcport</order>
</decoder>
<decoder name="ossec_custom_child">
<parent>ossec_custom</parent>
<regex offset="after_regex">(\w+.\w+.\w+.\w+):(\d+),(\w+),</regex>
<order>dstip, dstport, user</order>
</decoder>
Ossec logtest output:
Type one log per line
2018-08-26T00:00:03.269Z,00000000000EE085,2,xxx.xxx.xxx.4:995,xxx.xxx.xxx.234:50956,ngapt,2,10,56,pass,*****,"R=""-ERR Logon failure: unknown user name or bad password."";Msg=LogonFailed:LogonDenied;ErrMsg=LogonFailed:LogonDenied"
**Phase 1: Completed pre-decoding.
full event: '2018-08-26T00:00:03.269Z,00000000000EE085,2,xxx.xxx.xxx.4:995,xxx.xxx.xxx.234:50956,ngapt,2,10,56,pass,*****,"R=""-ERR Logon failure: unknown user name or bad password."";Msg=LogonFailed:LogonDenied;ErrMsg=LogonFailed:LogonDenied"'
timestamp: '2018-08-26T00:00:03.269Z,000000'
**Phase 2: Completed decoding.
name: 'ossec_custom'
dstip: 'xxx.xxx.xxx.234'
dstport: '50956'
dstuser: 'ngapt'
info: '2'
srcip: 'xxx.xxx.xxx.4'
srcport: '995'
Also, I would like to leave here some links that you might find helpful:
Hope this was helpful. Let me know if you need anything else.
Regards,
Yana.