I was trying to create a custom decoder for logs generated by the audispd daemon.
Since those are very similar to the ones from auditd daemon, with addition of a "node" element at the beginning, I started by copying the existing decoder for auditd, and then I changed it from:
Code: Select all
<decoder name="auditd">
<prematch>^type=</prematch>
</decoder>
Code: Select all
<decoder name="audispd">
<program_name>audispd</program_name>
<prematch>^node=</prematch>
<regex offset="after_prematch">^(\S+) type=</regex>
<order>audit.node</order>
</decoder>
The log test shows the decoder is recognized and correctly applied:
Code: Select all
[root@ossec decoders.d]# /var/ossec/bin/ossec-logtest
2019/12/18 16:01:29 ossec-testrule: INFO: Started (pid: 9622).
ossec-testrule: Type one log per line.
Dec 18 12:34:17 ossec audispd: node=ossec.626suite-online.it type=USER_LOGIN msg=audit(1576668857.459:7026663): pid=14030 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=222.186.175.181 terminal=ssh res=failed'
**Phase 1: Completed pre-decoding.
full event: 'Dec 18 12:34:17 ossec audispd: node=ossec.626suite-online.it type=USER_LOGIN msg=audit(1576668857.459:7026663): pid=14030 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=222.186.175.181 terminal=ssh res=failed''
timestamp: 'Dec 18 12:34:17'
hostname: 'ossec'
program_name: 'audispd'
log: 'node=ossec.626suite-online.it type=USER_LOGIN msg=audit(1576668857.459:7026663): pid=14030 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=222.186.175.181 terminal=ssh res=failed''
**Phase 2: Completed decoding.
decoder: 'audispd'
audit.pid: '14030'
audit.auid: '4294967295'
audit.uid: '0'
audit.session: '4294967295'
audit.exe: '/usr/sbin/sshd'
audit.srcip: '222.186.175.181'
audit.res: 'failed''
**Phase 3: Completed filtering (rules).
Rule id: '626001'
Level: '0'
Description: 'audispd: SSH authorization failed - ignored'