Help Regex Custom Log
102 views
Skip to first unread message
badr afilal
Dec 18, 2024, 9:01:05 AM12/18/24
to Wazuh | Mailing List
Hello Team!
i'm looking for help to parse this type of log:
[17/Dec/2024:11:27:02 +0100] 15.15.15.15 - 10.1.10.1 - example.domain.com example.domain.com to: 10.81.1.10:8080 : POST /path/to/resource HTTP/1.1 200 4094 https://example.domain.com/path/to/page upstream_response_time 14.575 request_time 14.576 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0
My current Decoder is :
#############################################
<decoder name="zeus">
<prematch>^[\d\d/\w\w\w/\d\d\d\d:\d\d:\d\d:\d\d \S+] </prematch>
<regex offset="after_prematch">(\S+)\s-\s(\S+)\s-\s\S+\s\S+\s\S+\s(\S+)\s:\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s</regex>
<order>srcip, host, upstream_ip, method, endpoint</order>
</decoder>
<prematch>^[\d\d/\w\w\w/\d\d\d\d:\d\d:\d\d:\d\d \S+] </prematch>
<regex offset="after_prematch">(\S+)\s-\s(\S+)\s-\s\S+\s\S+\s\S+\s(\S+)\s:\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s</regex>
<order>srcip, host, upstream_ip, method, endpoint</order>
</decoder>
###############################################
My decoder works perfect but does stop on endpoint which is in the case of log i provided "/path/to/resource" i want to extract response code , user-agent
Message has been deleted
Hossam El Amraoui Leghzali
Dec 18, 2024, 12:43:25 PM12/18/24
to Wazuh | Mailing List
Hello badr afilal,
There is a tool in Wazuh to check if custom decoders are well-defined. The tool is https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html.
Regular expressions follow a certain syntax, in the documentation we have more information about their syntax: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html.
In your particular case, the decoder would be as follows:
<decoder name="zeus">
<prematch>^[\d\d/\w\w\w/\d\d\d\d:\d\d:\d\d:\d\d \S+] </prematch>
<regex offset="after_prematch">(\S+)\s-\s(\S+)\s-\s\S+\s\S+\s\S+\s(\S+)\s:\s(\S+)\s(\S+)\s\S+\s(\S+)\s\S+\s\S+\s\S+\s\S+\s\S+\s\S+\s(\.+)</regex>
<order>srcip, host, upstream_ip, method, endpoint, response_code, user_agent</order>
</decoder>
If you need further assistance, feel free to ask. Best regards.
There is a tool in Wazuh to check if custom decoders are well-defined. The tool is https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html.
Regular expressions follow a certain syntax, in the documentation we have more information about their syntax: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html.
In your particular case, the decoder would be as follows:
<decoder name="zeus">
<prematch>^[\d\d/\w\w\w/\d\d\d\d:\d\d:\d\d:\d\d \S+] </prematch>
<order>srcip, host, upstream_ip, method, endpoint, response_code, user_agent</order>
</decoder>
If you need further assistance, feel free to ask. Best regards.
Reply all
Reply to author
Forward
0 new messages