No decoder matched.
390 views
Skip to first unread message
mariano hinjos
Apr 7, 2022, 9:51:40 AM4/7/22
to Wazuh mailing list
Hi
I have created a decoder to analyze my oracle logs. This is an example of the log
I have created a decoder to analyze my oracle logs. This is an example of the log
Apr 07 13:15:17 superhost journal: Oracle Audit[12396]: LENGTH: "365" SESSIONID:[8] "17552214" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[9] "TTTTT" USERHOST:[11] "ES\MAL210" TERMINAL:[8] "MAL210" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT:[99] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.120.39.22)(PORT=49965))" OS$USERID:[15] "pericoz" DBID:[10] "3980474210" PRIV$USED:[1] "5"
timestamp: 'Apr 07 13:15:17'
hostname: 'esmas155t'
program_name: 'journal'
**Phase 2: Completed decoding.
No decoder matched.
hostname: 'esmas155t'
program_name: 'journal'
**Phase 2: Completed decoding.
No decoder matched.
When I see it in wazuh-logtest it tells me No decoder matched.
and this is the decoder header
<decoder name="oracle_auditEkip">
<prematch>^journal: Oracle Audit[\d+]: </prematch>
</decoder>
<decoder name="oracle_auditEkip">
<parent>oracle_auditEkip</parent>
<regex>^(\w+) (\d+) (\d+:\d+:\d+) \w+ journal: Oracle Audit[\d+]:</regex>
<order>oracle.mes,oracle.dia,oracle.hora</order>
</decoder>
<prematch>^journal: Oracle Audit[\d+]: </prematch>
</decoder>
<decoder name="oracle_auditEkip">
<parent>oracle_auditEkip</parent>
<regex>^(\w+) (\d+) (\d+:\d+:\d+) \w+ journal: Oracle Audit[\d+]:</regex>
<order>oracle.mes,oracle.dia,oracle.hora</order>
</decoder>
any idea
thanks in advance
Federico Rodriguez
Apr 7, 2022, 5:46:25 PM4/7/22
to Wazuh mailing list
Hi!
Be mindful to escape special characters that have to be treated as literal, such as [ or ]. If you want to match let say [45241], you should match it with \[\d+\]
Also, in case of complex expressions you have to switch the type= of regular expression used. Take a look to the type pcre2 in wazuh documentation. This type of regular expression will support the expressions you are trying to match.
To change the regular expression type, just add the attribute to the prematch or regex tag, like <regex type="pcre2">^(\w+) (\d+) (\d+:\d+:\d+) \w+ journal: Oracle Audit\[\d+\]:</regex>
Decoders documentation
<decoder name="oracle_auditEkip">
<prematch>^journal: Oracle Audit[\d+]: </prematch>
</decoder>
<decoder name="oracle_auditEkip">
<parent>oracle_auditEkip</parent>
<regex>^(\w+) (\d+) (\d+:\d+:\d+) \w+ journal: Oracle Audit[\d+]:</regex>
<order>oracle.mes,oracle.dia,oracle.hora</order>
</decoder>
Hope it helps, keep me updated!
Be mindful to escape special characters that have to be treated as literal, such as [ or ]. If you want to match let say [45241], you should match it with \[\d+\]
Also, in case of complex expressions you have to switch the type= of regular expression used. Take a look to the type pcre2 in wazuh documentation. This type of regular expression will support the expressions you are trying to match.
To change the regular expression type, just add the attribute to the prematch or regex tag, like <regex type="pcre2">^(\w+) (\d+) (\d+:\d+:\d+) \w+ journal: Oracle Audit\[\d+\]:</regex>
Decoders documentation
<decoder name="oracle_auditEkip">
<prematch>^journal: Oracle Audit[\d+]: </prematch>
</decoder>
<decoder name="oracle_auditEkip">
<parent>oracle_auditEkip</parent>
<regex>^(\w+) (\d+) (\d+:\d+:\d+) \w+ journal: Oracle Audit[\d+]:</regex>
<order>oracle.mes,oracle.dia,oracle.hora</order>
</decoder>
mariano hinjos
Apr 8, 2022, 2:33:54 AM4/8/22
to Wazuh mailing list
I have not had problems with another decoder that I have practically the same, I show you the decoder and the example
Decoder
<decoder name="oracle_audit">
<prematch>^Oracle Audit[\d+]: </prematch>
</decoder>
<decoder name="oracle_audit">
<parent>oracle_audit</parent>
<regex>^(\w+) (\d+) (\d+:\d+:\d+) \w+ Oracle Audit[\d+]:</regex>
<order>oracle.mes,oracle.dia,oracle.hora</order>
</decoder>
<decoder name="oracle_audit">
<parent>oracle_audit</parent>
<regex offset="after_parent">OS\$USERID:[\d+] "(\w+.\w+)"</regex>
<order>system_user</order>
</decoder>
<decoder name="oracle_audit">
<parent>oracle_audit</parent>
<regex offset="after_parent">USERID:[\d+] "(\w+)"</regex>
<order>oracle_user</order>
</decoder>
<prematch>^Oracle Audit[\d+]: </prematch>
</decoder>
<decoder name="oracle_audit">
<parent>oracle_audit</parent>
<regex>^(\w+) (\d+) (\d+:\d+:\d+) \w+ Oracle Audit[\d+]:</regex>
<order>oracle.mes,oracle.dia,oracle.hora</order>
</decoder>
<decoder name="oracle_audit">
<parent>oracle_audit</parent>
<regex offset="after_parent">OS\$USERID:[\d+] "(\w+.\w+)"</regex>
<order>system_user</order>
</decoder>
<decoder name="oracle_audit">
<parent>oracle_audit</parent>
<regex offset="after_parent">USERID:[\d+] "(\w+)"</regex>
<order>oracle_user</order>
</decoder>
Debug
# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.2.4
Type one log per line
Apr 7 20:11:37 hist1 Oracle Audit[17112]: LENGTH: "300" SESSIONID:[8] "17822933" ENTRYID:[1] "1" USERID:[6] "WSLPRD" ACTION:[3] "101" RETURNCODE:[1] "0" COMMENT$TEXT:[52] "DBLINK_INFO: (SOURCE_GLOBAL_NAME=TESTAAEKIP.472758666)" LOGOFF$PREAD:[1] "3" LOGOFF$LREAD:[3] "379" LOGOFF$LWRITE:[1] "0" LOGOFF$DEAD:[1] "0" DBID:[10] "3980474210 " SESSIONCPU:[1] "2"
**Phase 1: Completed pre-decoding.
full event: 'Apr 7 20:11:37 hist1 Oracle Audit[17112]: LENGTH: "300" SESSIONID:[8] "17822933" ENTRYID:[1] "1" USERID:[6] "WSLPRD" ACTION:[3] "101" RETURNCODE:[1] "0" COMMENT$TEXT:[52] "DBLINK_INFO: (SOURCE_GLOBAL_NAME=TESTAAEKIP.472758666)" LOGOFF$PREAD:[1] "3" LOGOFF$LREAD:[3] "379" LOGOFF$LWRITE:[1] "0" LOGOFF$DEAD:[1] "0" DBID:[10] "3980474210 " SESSIONCPU:[1] "2"'
timestamp: 'Apr 7 20:11:37'
hostname: ' hist1'
**Phase 2: Completed decoding.
name: 'oracle_audit'
accionoracle: '101'
oraIDsession: '17822933'
oracle_user: 'WSLPRD'
oracleresult: '0'
**Phase 3: Completed filtering (rules).
id: '100915'
level: '5'
description: 'ORACLE: Session LOGOFF'
groups: '['AUDORACLEV2']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Starting wazuh-logtest v4.2.4
Type one log per line
Apr 7 20:11:37 hist1 Oracle Audit[17112]: LENGTH: "300" SESSIONID:[8] "17822933" ENTRYID:[1] "1" USERID:[6] "WSLPRD" ACTION:[3] "101" RETURNCODE:[1] "0" COMMENT$TEXT:[52] "DBLINK_INFO: (SOURCE_GLOBAL_NAME=TESTAAEKIP.472758666)" LOGOFF$PREAD:[1] "3" LOGOFF$LREAD:[3] "379" LOGOFF$LWRITE:[1] "0" LOGOFF$DEAD:[1] "0" DBID:[10] "3980474210 " SESSIONCPU:[1] "2"
**Phase 1: Completed pre-decoding.
full event: 'Apr 7 20:11:37 hist1 Oracle Audit[17112]: LENGTH: "300" SESSIONID:[8] "17822933" ENTRYID:[1] "1" USERID:[6] "WSLPRD" ACTION:[3] "101" RETURNCODE:[1] "0" COMMENT$TEXT:[52] "DBLINK_INFO: (SOURCE_GLOBAL_NAME=TESTAAEKIP.472758666)" LOGOFF$PREAD:[1] "3" LOGOFF$LREAD:[3] "379" LOGOFF$LWRITE:[1] "0" LOGOFF$DEAD:[1] "0" DBID:[10] "3980474210 " SESSIONCPU:[1] "2"'
timestamp: 'Apr 7 20:11:37'
hostname: ' hist1'
**Phase 2: Completed decoding.
name: 'oracle_audit'
accionoracle: '101'
oraIDsession: '17822933'
oracle_user: 'WSLPRD'
oracleresult: '0'
**Phase 3: Completed filtering (rules).
id: '100915'
level: '5'
description: 'ORACLE: Session LOGOFF'
groups: '['AUDORACLEV2']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
and applying your recommendations
<decoder name="oracle_auditEkip">
<prematch>^journal: Oracle Audit\[\d+\]: </prematch>
</decoder>
<decoder name="oracle_auditEkip">
<parent>oracle_auditEkip</parent>
<prematch>^journal: Oracle Audit\[\d+\]: </prematch>
</decoder>
<decoder name="oracle_auditEkip">
<parent>oracle_auditEkip</parent>
<regex type="pcre2">^(\w+) (\d+) (\d+:\d+:\d+) \w+ journal: Oracle Audit\[\d+\]:</regex>
<order>oracle.mes,oracle.dia,oracle.hora</order>
</decoder>
</decoder>
Starting wazuh-logtest v4.2.4
Type one log per line
Apr 07 13:15:17 hist2 journal: Oracle Audit[12396]: LENGTH: "365" SESSIONID:[8] "17552214" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[9] "TTTTTGONZALEZ" USERHOST:[11] "ES\ESMAL210" TERMINAL:[8] "ESMAL210" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT:[99] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.120.39.22)(PORT=49965))" OS$USERID:[15] "pep" DBID:[10] "3980474210" PRIV$USED:[1] "5"
**Phase 1: Completed pre-decoding.
full event: 'Apr 07 13:15:17 hist2 journal: Oracle Audit[12396]: LENGTH: "365" SESSIONID:[8] "17552214" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[9] "TTTTTGONZALEZ" USERHOST:[11] "ES\ESMAL210" TERMINAL:[8] "ESMAL210" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT:[99] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.120.39.22)(PORT=49965))" OS$USERID:[15] "pep" DBID:[10] "3980474210" PRIV$USED:[1] "5"'
Type one log per line
Apr 07 13:15:17 hist2 journal: Oracle Audit[12396]: LENGTH: "365" SESSIONID:[8] "17552214" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[9] "TTTTTGONZALEZ" USERHOST:[11] "ES\ESMAL210" TERMINAL:[8] "ESMAL210" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT:[99] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.120.39.22)(PORT=49965))" OS$USERID:[15] "pep" DBID:[10] "3980474210" PRIV$USED:[1] "5"
**Phase 1: Completed pre-decoding.
full event: 'Apr 07 13:15:17 hist2 journal: Oracle Audit[12396]: LENGTH: "365" SESSIONID:[8] "17552214" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[9] "TTTTTGONZALEZ" USERHOST:[11] "ES\ESMAL210" TERMINAL:[8] "ESMAL210" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT:[99] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.120.39.22)(PORT=49965))" OS$USERID:[15] "pep" DBID:[10] "3980474210" PRIV$USED:[1] "5"'
timestamp: 'Apr 07 13:15:17'
hostname: 'esmas155t'
program_name: 'journal'
**Phase 2: Completed decoding.
No decoder matched.
and the only thing that changes between both logs is this: journal: Oracle Audit
Federico Rodriguez
Apr 11, 2022, 3:17:39 PM4/11/22
to Wazuh mailing list
Hi!
Sorry for the delay, I was doing some consultation with my team mates. After making a few tests I found a few discrepancies between the working decoder test log and the one that doesn't match.
Fist of all, adjusting de decoder like this will prematch both cases:
<decoder name="oracle_audit">
<prematch>journal: Oracle Audit[\d+]:</prematch>
</decoder>
<decoder name="oracle_audit">
<parent>oracle_audit</parent>
<regex type="pcre2">^(\w+)\s+(\d+)\s+(\d+:\d+:\d+)\s+\w+\s+journal:\s+Oracle\s+Audit\[\d+\]:</regex>
<order>oracle.mes,oracle.dia,oracle.hora</order>
</decoder>
Also, the following test log has a standard timestamp format which will be predigested in the timestamp field, but won't be matched with the custom fields as it is already pre-digested:
In the 2nd case the day of the timestamp has only 1 digit and it is not recognized as a standard format, so all the log line is analyzed to extract the custom fields:
So, if the day has 1 digit (like 7) it will be processed in one way, but if it has 2 digits (like 17) it will processed as a standard timestamp.
If the log cannot be configured to have standard format, there's a workaround to capture both possible formats in the same field, which would be timestamp.
To do so the decoder would look like this:
<decoder name="oracle_auditEkip">
<prematch type="pcre2">^\w{3}\s+\d{1,2}\s+\d+:\d+:\d+\s+\w+\s+journal:\s+Oracle\s+Audit\[\d+\]:</prematch>
</decoder>
<decoder name="oracle_auditEkip_child">
<parent>oracle_auditEkip</parent>
<regex type="pcre2">^(\w+\x20\d+\x20\d+:\d+:\d+)\x20\x20</regex>
<order>timestamp</order>
</decoder>
<decoder name="oracle_audit">
<prematch>journal: Oracle Audit[\d+]:</prematch>
</decoder>
<decoder name="oracle_audit">
<parent>oracle_audit</parent>
<regex type="pcre2">^(\w+)\s+(\d+)\s+(\d+:\d+:\d+)\s+\w+\s+journal:\s+Oracle\s+Audit\[\d+\]:</regex>
<order>oracle.mes,oracle.dia,oracle.hora</order>
</decoder>
Sorry for the delay, I was doing some consultation with my team mates. After making a few tests I found a few discrepancies between the working decoder test log and the one that doesn't match.
Fist of all, adjusting de decoder like this will prematch both cases:
<decoder name="oracle_audit">
<prematch>journal: Oracle Audit[\d+]:</prematch>
</decoder>
<decoder name="oracle_audit">
<parent>oracle_audit</parent>
<order>oracle.mes,oracle.dia,oracle.hora</order>
</decoder>
Also, the following test log has a standard timestamp format which will be predigested in the timestamp field, but won't be matched with the custom fields as it is already pre-digested:
In the 2nd case the day of the timestamp has only 1 digit and it is not recognized as a standard format, so all the log line is analyzed to extract the custom fields:
So, if the day has 1 digit (like 7) it will be processed in one way, but if it has 2 digits (like 17) it will processed as a standard timestamp.
If the log cannot be configured to have standard format, there's a workaround to capture both possible formats in the same field, which would be timestamp.
To do so the decoder would look like this:
<decoder name="oracle_auditEkip">
<prematch type="pcre2">^\w{3}\s+\d{1,2}\s+\d+:\d+:\d+\s+\w+\s+journal:\s+Oracle\s+Audit\[\d+\]:</prematch>
</decoder>
<decoder name="oracle_auditEkip_child">
<parent>oracle_auditEkip</parent>
<regex type="pcre2">^(\w+\x20\d+\x20\d+:\d+:\d+)\x20\x20</regex>
<order>timestamp</order>
</decoder>
<decoder name="oracle_audit">
<prematch>journal: Oracle Audit[\d+]:</prematch>
</decoder>
<decoder name="oracle_audit">
<parent>oracle_audit</parent>
<order>oracle.mes,oracle.dia,oracle.hora</order>
</decoder>
mariano hinjos
Apr 18, 2022, 3:34:53 AM4/18/22
to Wazuh mailing list
Sorry for the delay, I appreciate your answer, but if you look at the examples you have put both with the word journal and if I do the test, one with said word and one without it, the result remains the same
Apr 07 13:15:17 hist2 journal: Oracle Audit[12396]: LENGTH: "365" SESSIONID:[8] "17552214" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[9] "TTTTTGONZALEZ" USERHOST:[11] "ES\ESMAL210" TERMINAL:[8] "ESMAL210" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT:[99] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.120.39.22)(PORT=49965))" OS$USERID:[15] "pep" DBID:[10] "3980474210" PRIV$USED:[1] "5"
**Phase 1: Completed pre-decoding.
full event: 'Apr 07 13:15:17 hist2 journal: Oracle Audit[12396]: LENGTH: "365" SESSIONID:[8] "17552214" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[9] "TTTTTGONZALEZ" USERHOST:[11] "ES\ESMAL210" TERMINAL:[8] "ESMAL210" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT:[99] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.120.39.22)(PORT=49965))" OS$USERID:[15] "pep" DBID:[10] "3980474210" PRIV$USED:[1] "5"'
timestamp: 'Apr 07 13:15:17'
**Phase 1: Completed pre-decoding.
full event: 'Apr 07 13:15:17 hist2 journal: Oracle Audit[12396]: LENGTH: "365" SESSIONID:[8] "17552214" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[9] "TTTTTGONZALEZ" USERHOST:[11] "ES\ESMAL210" TERMINAL:[8] "ESMAL210" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT:[99] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.120.39.22)(PORT=49965))" OS$USERID:[15] "pep" DBID:[10] "3980474210" PRIV$USED:[1] "5"'
timestamp: 'Apr 07 13:15:17'
**Phase 2: Completed decoding.
name: 'oracle_audit'
name: 'oracle_audit'
accionoracle: '100'
oraIDsession: '17552214'
oracle_user: 'TTTTTGONZALEZ'
oraclehost: 'ES\ESMAL210'
oracleport: '49965'
oracleresult: '0'
srcip: '10.120.39.22'
oraIDsession: '17552214'
oracle_user: 'TTTTTGONZALEZ'
oraclehost: 'ES\ESMAL210'
oracleport: '49965'
oracleresult: '0'
srcip: '10.120.39.22'
**Phase 3: Completed filtering (rules).
id: '100911'
level: '5'
description: 'ORACLE: LOGON ES CORRECT FALLO DE SEGURIDAD'
level: '5'
description: 'ORACLE: LOGON ES CORRECT FALLO DE SEGURIDAD'
groups: '['AUDORACLEV2']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Apr 7 20:11:37 hist1 Oracle Audit[17112]: LENGTH: "300" SESSIONID:[8] "17822933" ENTRYID:[1] "1" USERID:[6] "WSLPRD" ACTION:[3] "101" RETURNCODE:[1] "0" COMMENT$TEXT:[52] "DBLINK_INFO: (SOURCE_GLOBAL_NAME=TESTAAEKIP.472758666)" LOGOFF$PREAD:[1] "3" LOGOFF$LREAD:[3] "379" LOGOFF$LWRITE:[1] "0" LOGOFF$DEAD:[1] "0" DBID:[10] "3980474210 " SESSIONCPU:[1] "2"
**Phase 1: Completed pre-decoding.
full event: 'Apr 7 20:11:37 hist1 Oracle Audit[17112]: LENGTH: "300" SESSIONID:[8] "17822933" ENTRYID:[1] "1" USERID:[6] "WSLPRD" ACTION:[3] "101" RETURNCODE:[1] "0" COMMENT$TEXT:[52] "DBLINK_INFO: (SOURCE_GLOBAL_NAME=TESTAAEKIP.472758666)" LOGOFF$PREAD:[1] "3" LOGOFF$LREAD:[3] "379" LOGOFF$LWRITE:[1] "0" LOGOFF$DEAD:[1] "0" DBID:[10] "3980474210 " SESSIONCPU:[1] "2"'
timestamp: 'Apr 7 20:11:37'
hostname: 'hist1'
**Phase 2: Completed decoding.
**Phase 1: Completed pre-decoding.
full event: 'Apr 7 20:11:37 hist1 Oracle Audit[17112]: LENGTH: "300" SESSIONID:[8] "17822933" ENTRYID:[1] "1" USERID:[6] "WSLPRD" ACTION:[3] "101" RETURNCODE:[1] "0" COMMENT$TEXT:[52] "DBLINK_INFO: (SOURCE_GLOBAL_NAME=TESTAAEKIP.472758666)" LOGOFF$PREAD:[1] "3" LOGOFF$LREAD:[3] "379" LOGOFF$LWRITE:[1] "0" LOGOFF$DEAD:[1] "0" DBID:[10] "3980474210 " SESSIONCPU:[1] "2"'
timestamp: 'Apr 7 20:11:37'
hostname: 'hist1'
**Phase 2: Completed decoding.
No decoder matched.
mariano hinjos
Apr 18, 2022, 7:27:30 AM4/18/22
to Wazuh mailing list
you finally gave me the clue of what could happen.
First I put the ekip rule and then the other format and the result is that each one uses its own rule, I just need to add the rules
and the decoders in this order
<prematch>journal: Oracle Audit[\d+]:</prematch>
</decoder>
First I put the ekip rule and then the other format and the result is that each one uses its own rule, I just need to add the rules
and the decoders in this order
<decoder name="oracle_auditEkip">
<prematch>journal: Oracle Audit[\d+]:</prematch>
</decoder>
<decoder name="oracle_auditEkip">
<parent>oracle_auditEkip</parent>
<parent>oracle_auditEkip</parent>
<regex type="pcre2">^(\w+)\s+(\d+)\s+(\d+:\d+:\d+)\s+\w+\s+journal:\s+Oracle\s+Audit\[\d+\]:</regex>
<order>oracle.mes,oracle.dia,oracle.hora</order>
</decoder>
<order>oracle.mes,oracle.dia,oracle.hora</order>
</decoder>
..
...
...
<decoder name="oracle_audit">
<prematch>^Oracle Audit[\d+]: </prematch>
</decoder>
<decoder name="oracle_audit">
<parent>oracle_audit</parent>
<regex>^(\w+) (\d+) (\d+:\d+:\d+) \w+ Oracle Audit[\d+]:</regex>
<order>oracle.mes,oracle.dia,oracle.hora</order>
</decoder>
<prematch>^Oracle Audit[\d+]: </prematch>
</decoder>
<decoder name="oracle_audit">
<parent>oracle_audit</parent>
<regex>^(\w+) (\d+) (\d+:\d+:\d+) \w+ Oracle Audit[\d+]:</regex>
<order>oracle.mes,oracle.dia,oracle.hora</order>
</decoder>
...
...
...
mariano hinjos
May 5, 2022, 6:15:53 AM5/5/22
to Wazuh mailing list
I reopen again, I have another different log and I don't understand why it doesn't decode it
why does program_name appear?
Apr 7 08:33:26 pepitojournal: Oracle Audit[25582]: LENGTH: "337" SESSIONID:[9] "360821149" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[9] "OPS$IPLAN" USERHOST:[26] "pepito.es.toyota-fs.com" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT$TEXT:[90] "Authenticated by: OS; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=10544))" OS$USERID:[5] "iplan" DBID:[10] "3463351456" PRIV$USED:[1] "5"''
**Phase 2: Completed decoding.
name: 'oracle_auditEkip'
SOuser: 'iplan'
accionoracle: '100'
oraIDsession: '360821149'
oracle_user: 'OPS$IPLAN'
oracleport: '10544'
oracleresult: '0'
srcip: '127.0.0.1'
name: 'oracle_auditEkip'
SOuser: 'iplan'
accionoracle: '100'
oraIDsession: '360821149'
oracle_user: 'OPS$IPLAN'
oracleport: '10544'
oracleresult: '0'
srcip: '127.0.0.1'
the same log with two spaces between month and day
Apr 7 08:33:26 pepito journal: Oracle Audit[25582]: LENGTH: "337" SESSIONID:[9] "360821149" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[9] "OPS$IPLAN" USERHOST:[26] "pepito.es.toyota-fs.com" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT$TEXT:[90] "Authenticated by: OS; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=10544))" OS$USERID:[5] "iplan" DBID:[10] "3463351456" PRIV$USED:[1] "5"
**Phase 1: Completed pre-decoding.
full event: 'Apr 7 08:33:26 pepito journal: Oracle Audit[25582]: LENGTH: "337" SESSIONID:[9] "360821149" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[9] "OPS$IPLAN" USERHOST:[26] "esmas155t.es.toyota-fs.com" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT$TEXT:[90] "Authenticated by: OS; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=10544))" OS$USERID:[5] "iplan" DBID:[10] "3463351456" PRIV$USED:[1] "5"'''''
timestamp: 'Apr 7 08:33:26'
hostname: 'esmas155t'
program_name: 'journal'
full event: 'Apr 7 08:33:26 pepito journal: Oracle Audit[25582]: LENGTH: "337" SESSIONID:[9] "360821149" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[9] "OPS$IPLAN" USERHOST:[26] "esmas155t.es.toyota-fs.com" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT$TEXT:[90] "Authenticated by: OS; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=10544))" OS$USERID:[5] "iplan" DBID:[10] "3463351456" PRIV$USED:[1] "5"'''''
timestamp: 'Apr 7 08:33:26'
hostname: 'esmas155t'
program_name: 'journal'
**Phase 2: Completed decoding.
No decoder matched.
No decoder matched.
why does program_name appear?
Reply all
Reply to author
Forward
0 new messages