Cisco Ironport decoding
223 views
Skip to first unread message
TUKARAM GAONKAR
Jun 22, 2021, 8:56:08 AM6/22/21
to Wazuh mailing list
Dear Team ,
Have you created a decoder for Cisco Ironport mail Gateway? I have integrated Ironport mail gateway with wazuh but the log comes in multiline format.Which is hard to decode.
Need your suggestion or help to decode this kind of logs.
Warm regards,
Tukaram Gaonkar
Julián Morales
Jun 22, 2021, 12:05:23 PM6/22/21
to Wazuh mailing list
Hi Tukaram,
Since version 4.1, the Wazuh Manager supports PCRE2 (Perl Compatible Regular Expressions). PCRE2 allows to decode and match multi-line logs.
If you wish, you could share with us some sample logs and I will happily help you to create the proper decoders.
Regards,
Julian
Since version 4.1, the Wazuh Manager supports PCRE2 (Perl Compatible Regular Expressions). PCRE2 allows to decode and match multi-line logs.
If you wish, you could share with us some sample logs and I will happily help you to create the proper decoders.
Regards,
Julian
Julián Morales
Jun 25, 2021, 11:29:39 AM6/25/21
to Wazuh mailing list
Hi Tukaram,
Thank you for sharing the logs. You have shared with us 2 types of logs:
Both logs are single line and correspond to the standard syslog format, it is not necessary to use PCRE2. You could create the decoders with the sibiling strategy (You could read more about it here)
On the other hand, I think this blog entry may be of interest to you, it explains how to create decoders and rules from scratch.
If it is not a bother, could we continue this conversation in public messages?, this will allow other users who have similar issues to you to find a solution.
Thank you.
Regards,
Julian
Thank you for sharing the logs. You have shared with us 2 types of logs:
- Mar 14 12:11:29 mail_logs_wazuh: Info: MID 34567832 SPF: helo identity postm...@zzz.yyy.xxxx.com Pass (v=spf1)
- 2015-08-18T14:35:26-05:00 esa textmaillog: Info: MID 320793004 ICID 850203963 RID 0 To: <yyyy...@xxxxx.xxxx>
Both logs are single line and correspond to the standard syslog format, it is not necessary to use PCRE2. You could create the decoders with the sibiling strategy (You could read more about it here)
On the other hand, I think this blog entry may be of interest to you, it explains how to create decoders and rules from scratch.
If it is not a bother, could we continue this conversation in public messages?, this will allow other users who have similar issues to you to find a solution.
Thank you.
Regards,
Julian
Reply all
Reply to author
Forward
0 new messages