Custom decoder not capturing parameter

Support/Development for OSSEC
mtassinari
New Forum User
New Forum User
Posts: 4
Joined: Thu Nov 29, 2012 6:01 am
Location: Italy

Custom decoder not capturing parameter

Unread post by mtassinari »

Hi everybody,

I was trying to create a custom decoder for logs generated by the audispd daemon.

Since those are very similar to the ones from auditd daemon, with addition of a "node" element at the beginning, I started by copying the existing decoder for auditd, and then I changed it from:

Code: Select all

<decoder name="auditd">
  <prematch>^type=</prematch>
</decoder>
to:

Code: Select all

<decoder name="audispd">
  <program_name>audispd</program_name>
  <prematch>^node=</prematch>
  <regex offset="after_prematch">^(\S+) type=</regex>
  <order>audit.node</order>
</decoder>
that is, I added an explicit program name reference, and tried to capture some parameter right in the first decoder definition.

The log test shows the decoder is recognized and correctly applied:

Code: Select all

[root@ossec decoders.d]# /var/ossec/bin/ossec-logtest
2019/12/18 16:01:29 ossec-testrule: INFO: Started (pid: 9622).
ossec-testrule: Type one log per line.

Dec 18 12:34:17 ossec audispd: node=ossec.626suite-online.it type=USER_LOGIN msg=audit(1576668857.459:7026663): pid=14030 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=222.186.175.181 terminal=ssh res=failed'


**Phase 1: Completed pre-decoding.
       full event: 'Dec 18 12:34:17 ossec audispd: node=ossec.626suite-online.it type=USER_LOGIN msg=audit(1576668857.459:7026663): pid=14030 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=222.186.175.181 terminal=ssh res=failed''
       timestamp: 'Dec 18 12:34:17'
       hostname: 'ossec'
       program_name: 'audispd'
       log: 'node=ossec.626suite-online.it type=USER_LOGIN msg=audit(1576668857.459:7026663): pid=14030 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=222.186.175.181 terminal=ssh res=failed''

**Phase 2: Completed decoding.
       decoder: 'audispd'
       audit.pid: '14030'
       audit.auid: '4294967295'
       audit.uid: '0'
       audit.session: '4294967295'
       audit.exe: '/usr/sbin/sshd'
       audit.srcip: '222.186.175.181'
       audit.res: 'failed''

**Phase 3: Completed filtering (rules).
       Rule id: '626001'
       Level: '0'
       Description: 'audispd: SSH authorization failed - ignored'
However, the audit.node parameter does not seem to be present at the end of phase 2... am I missing something?
Post Reply