Decoder for Hirschmann switches not working
5 views
Skip to first unread message
Sergio
5:57 AM (2 hours ago) 5:57 AM
to Wazuh | Mailing List
Hi,
I'm working on a decoder for events from Hirschmann switches.
I don't know what I'm doing wrong but my decoder is not working properly.
This is the decoder that I currently have:
<decoder name="hirschmann">
<prematch type="pcre2">^\w{3}\s+\d+\s+\d{2}:\d{2}:\d{2}\s+\S+</prematch>
</decoder>
<decoder name="hirschmann_child">
<parent>hirschmann</parent>
<regex type="pcre2">^\w{3}\s+\d+\s+\d{2}:\d{2}:\d{2}\s+(\S+).*user \'([^']+)\'</regex>
<order>hostname,user</order>
</decoder>
This is the example log that I'm using:
Nov 28 12:03:23 XXXXXXXX [LIGHTY tLighty 0x00140087] HTTP(S) authentication failed for user 'admin'.
This is the result of the decoding test:
**Phase 1: Completed pre-decoding. full event: 'Nov 28 12:03:23 XXXXXXXX [LIGHTY tLighty 0x00140087] HTTP(S) authentication failed for user 'admin'.' timestamp: 'Nov 28 12:03:23' hostname: ' XXXXXXXX' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). id: '2501' level: '5' description: 'syslog: User authentication failure.' groups: '["syslog","access_control","authentication_failed"]' firedtimes: '1' gdpr: '["IV_35.7.d","IV_32.2"]' gpg13: '["7.8"]' hipaa: '["164.312.b"]' mail: 'false' nist_800_53: '["AU.14","AC.7"]' pci_dss: '["10.2.4","10.2.5"]' tsc: '["CC6.1","CC6.8","CC7.2","CC7.3"]' **Alert to be generated.
<decoder name="hirschmann">
<prematch type="pcre2">^\w{3}\s+\d+\s+\d{2}:\d{2}:\d{2}\s+\S+</prematch>
</decoder>
<decoder name="hirschmann_child">
<parent>hirschmann</parent>
<regex type="pcre2">^\w{3}\s+\d+\s+\d{2}:\d{2}:\d{2}\s+(\S+).*user \'([^']+)\'</regex>
<order>hostname,user</order>
</decoder>
This is the example log that I'm using:
Nov 28 12:03:23 XXXXXXXX [LIGHTY tLighty 0x00140087] HTTP(S) authentication failed for user 'admin'.
This is the result of the decoding test:
**Phase 1: Completed pre-decoding. full event: 'Nov 28 12:03:23 XXXXXXXX [LIGHTY tLighty 0x00140087] HTTP(S) authentication failed for user 'admin'.' timestamp: 'Nov 28 12:03:23' hostname: ' XXXXXXXX' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). id: '2501' level: '5' description: 'syslog: User authentication failure.' groups: '["syslog","access_control","authentication_failed"]' firedtimes: '1' gdpr: '["IV_35.7.d","IV_32.2"]' gpg13: '["7.8"]' hipaa: '["164.312.b"]' mail: 'false' nist_800_53: '["AU.14","AC.7"]' pci_dss: '["10.2.4","10.2.5"]' tsc: '["CC6.1","CC6.8","CC7.2","CC7.3"]' **Alert to be generated.
Reply all
Reply to author
Forward
0 new messages