Custom decoder not capturing parameter
Posted: Wed Dec 18, 2019 11:05 am
Hi everybody,
I was trying to create a custom decoder for logs generated by the audispd daemon.
Since those are very similar to the ones from auditd daemon, with addition of a "node" element at the beginning, I started by copying the existing decoder for auditd, and then I changed it from:
to:
that is, I added an explicit program name reference, and tried to capture some parameter right in the first decoder definition.
The log test shows the decoder is recognized and correctly applied:
However, the audit.node parameter does not seem to be present at the end of phase 2... am I missing something?
I was trying to create a custom decoder for logs generated by the audispd daemon.
Since those are very similar to the ones from auditd daemon, with addition of a "node" element at the beginning, I started by copying the existing decoder for auditd, and then I changed it from:
Code: Select all
<decoder name="auditd">
<prematch>^type=</prematch>
</decoder>
Code: Select all
<decoder name="audispd">
<program_name>audispd</program_name>
<prematch>^node=</prematch>
<regex offset="after_prematch">^(\S+) type=</regex>
<order>audit.node</order>
</decoder>
The log test shows the decoder is recognized and correctly applied:
Code: Select all
[root@ossec decoders.d]# /var/ossec/bin/ossec-logtest
2019/12/18 16:01:29 ossec-testrule: INFO: Started (pid: 9622).
ossec-testrule: Type one log per line.
Dec 18 12:34:17 ossec audispd: node=ossec.626suite-online.it type=USER_LOGIN msg=audit(1576668857.459:7026663): pid=14030 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=222.186.175.181 terminal=ssh res=failed'
**Phase 1: Completed pre-decoding.
full event: 'Dec 18 12:34:17 ossec audispd: node=ossec.626suite-online.it type=USER_LOGIN msg=audit(1576668857.459:7026663): pid=14030 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=222.186.175.181 terminal=ssh res=failed''
timestamp: 'Dec 18 12:34:17'
hostname: 'ossec'
program_name: 'audispd'
log: 'node=ossec.626suite-online.it type=USER_LOGIN msg=audit(1576668857.459:7026663): pid=14030 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=222.186.175.181 terminal=ssh res=failed''
**Phase 2: Completed decoding.
decoder: 'audispd'
audit.pid: '14030'
audit.auid: '4294967295'
audit.uid: '0'
audit.session: '4294967295'
audit.exe: '/usr/sbin/sshd'
audit.srcip: '222.186.175.181'
audit.res: 'failed''
**Phase 3: Completed filtering (rules).
Rule id: '626001'
Level: '0'
Description: 'audispd: SSH authorization failed - ignored'