1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO, SECURITY, diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI, ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info: Successful login attempt via REMOTE, IP Addr: pivonox.prod.pci.elan.red.com.uy.
I tried to do a custom one, but without success.
I let you here what ive did.
This one is getting the "1022 Audit" for discriminate the one i need to the rest.
<decoder name="Brocade-format">
<prematch>^\d+\s\w\w\w\w</prematch>
</decoder>
.
And here is when im trying to get the underlined red values at the begining of the text but im not sure:
-The type of the log i have to use or if it is necesary
-The "order" value i have tho use to take this both red values.
-The structure of the decoder.
<decoder name="Brocade-login">
<parent>Brocade-format</parent>
<type>---------</type>
<regex offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:d\d:d\d\s\(\w+\),\s\p\w\w\w-\w\w\w\w\p,\s\w+,\s(\w+),\w+/\w+/\w+/\w+(/\w+),\.*</regex>
<order>---------</order>
</decoder>
Thanks and Regards!
To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMpCiBxvjLv5_memm7H%2BFPO4JTeiKGDLqpw72f8RA6dvMw%40mail.gmail.com.
Im using 2.0 version.
To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAGQH4F%2BqTDKSiMJXBtCWmewR2SR1oDRiTpTwQBB%3Dm21mQrs-Ag%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMrEQhqC%3D5_ggxQkf8hLExg3iJVG77b9xxp4_YmTB-jt8A%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMpafeA_0FcmJ5jc%2BtfpiE79FjdbGgApzTVVANCCQpCAYQ%40mail.gmail.com.
<decoder name="Brocade-login">
<parent>Brocade-format</parent>
<regex offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d \(\S+\), [\S+], \S+, \S+, (\.+)/\S+/(\.+),</regex>
<order>user,second</order>
</decoder>
>>>> > To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.
>>>> > To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAGQH4FLk08YBG4NhaVQ9vG-nB-zF2%2Bo1GwnxSSvRbE62MGH2qA%40mail.gmail.com.
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.
>>>>
>>>> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMpCiBxvjLv5_memm7H%2BFPO4JTeiKGDLqpw72f8RA6dvMw%40mail.gmail.com.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.
>>> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAGQH4F%2BqTDKSiMJXBtCWmewR2SR1oDRiTpTwQBB%3Dm21mQrs-Ag%40mail.gmail.com.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMrEQhqC%3D5_ggxQkf8hLExg3iJVG77b9xxp4_YmTB-jt8A%40mail.gmail.com.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAGQH4FLLsptFocLfeLdZ0vLnCKVN_RkWVA5EbJPs_X2SVQytwQ%40mail.gmail.com.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/b91bc177-aa8b-4f15-9b6c-41421ae373fe%40googlegroups.com.