Decoder regex help

156 views
Skip to first unread message

gcstechnet

unread,
Feb 1, 2021, 2:54:47 PM2/1/21
to Wazuh mailing list
Could anyone please help with a regex statement from the following log line

Feb  1 08:01:01 newmon snmptt[10937]: .1.3.6.1.6.3.1.1.5.4 Normal "Status Events" switch.domain.com - Link up on interface 37.  Admin state: up.  Operational state: up

I am trying to get the switch.domain.com and I don't think I am dealing with the double quotes correctly.  I have it retreiveing the interface number and the Link change,  but I cannot get it to include the switch name.  
Link\s(\w+) on interface\s(\d+) is pulling up or down and the interface number. 
Any help would be greatly appreciated.
Thanks

Phil

Yana Zaeva

unread,
Feb 1, 2021, 3:14:40 PM2/1/21
to Wazuh mailing list
Hi Phil,

Feel free to use these decoders: 

<decoder name="test">
    <program_name>snmptt</program_name>
</decoder>

<decoder name="test2">
        <parent>test</parent>
        <regex>(\S+) \w+ "(\.+)" (\S+) - </regex>
        <order>numbers, status, domain-name</order>
</decoder>

You should be obtaining this output:

[root@default kibana]# /var/ossec/bin/ossec-logtest
2021/02/01 20:10:30 ossec-testrule: INFO: Started (pid: 1946).
ossec-testrule: Type one log per line.

Feb  1 08:01:01 newmon snmptt[10937]: .1.3.6.1.6.3.1.1.5.4 Normal "Status Events" switch.domain.com - Link up on interface 37.  Admin state: up.  Operational state: up



**Phase 1: Completed pre-decoding.
       full event: 'Feb  1 08:01:01 newmon snmptt[10937]: .1.3.6.1.6.3.1.1.5.4 Normal "Status Events" switch.domain.com - Link up on interface 37.  Admin state: up.  Operational state: up'
       timestamp: 'Feb  1 08:01:01'
       hostname: 'newmon'
       program_name: 'snmptt'
       log: '.1.3.6.1.6.3.1.1.5.4 Normal "Status Events" switch.domain.com - Link up on interface 37.  Admin state: up.  Operational state: up'

**Phase 2: Completed decoding.
       decoder: 'test'
       numbers: '.1.3.6.1.6.3.1.1.5.4'
       status: 'Status Events'
       domain-name: 'switch.domain.com'

I will leave you here a link where you can get further information about regular expressions syntax: https://documentation.wazuh.com/3.9/user-manual/ruleset/ruleset-xml-syntax/regex.html

Hope I was helpful. Do not hesitate to contact me if you have any doubt.
Yana.

gcstechnet

unread,
Feb 1, 2021, 3:22:31 PM2/1/21
to Wazuh mailing list
Yana,
Thank you so much.  I had been fighting that and could not get what I wanted.  Your example worked perfectly. I was working from that page but not getting to the result.  Thank you again.

Phil

Yana Zaeva

unread,
Feb 1, 2021, 3:28:17 PM2/1/21
to Wazuh mailing list
Hi Phil,

You are welcome! Feel free to contact us anytime! 

Best regards,
Yana.

Reply all
Reply to author
Forward
0 new messages