Re: Syslog parsing for OSSEC syslog alerts

James,

Here is a start - Just grouped everything as <summary>:

(?P<summary>(^Alert Level\:\s\d+.*)\n((.+\n)+))

but you might just want everything after the 192.18.215.51-> in the example you provided:

(^Alert Level\:\s\d+.*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}->.*)\n(?P<summary>((.+\n)+))

I am assuming your syslog messages is coming in like this and that you are getting truncated after the first carriage return:

Alert Level: 8; Rule: 18153 - Multiple Windows audit failure events.; Location: (MR51) 192.168.215.51->WinEvtLog; WinEvtLog: Security: AUDIT_FAILURE(5157): Microsoft-Windows-Security-Auditing: (no user): no domain: MR51.classe.cornell.edu: The Windows Filtering Platform has blocked a connection. Application Information:  Process ID:  548 Application Name: \device\harddiskvolume2\windows\system32\svchost.exe Network Information:  Direction:  %%14592  Source Address: 255.255.255.255  Source Port:  67  Destination Address: 192.168.213.129 Destination Port:  68  Protocol:  0  Filter Information:  Filter Run-Time ID: 2203235  Layer Name:  %%14610  Layer Run-Time ID: 44

WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: MR51.classe.cornell.edu: The Windows Filtering Platform blocked a packet. Application Information:  Process ID:  548 Application Name: \device\harddiskvolume2\windows\system32\svchost.exe Network Information:  Direction:  %%14592  Source Address: 192.168.214.87  Source Port:  17500  Destination Address: 255.255.255.255  Destination Port:  17500  Protocol:  17  Filter Information:  Filter Run-Time ID: 2203235  Layer Name:  %%14610  Layer Run-Time ID: 44

WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: DC1.classe.cornell.edu: The Windows Filtering Platform blocked a packet. Application Information:  Process ID:  880  Application Name: \device\harddiskvolume3\windows\system32\svchost.exe  Network Information:  Direction:  %%14592  Source Address:  128.84.45.176 Source Port:  53009  Destination Address: 255.255.255.255  Destination Port:  1947  Protocol:  17  Filter Information:  Filter Run-Time ID: 71651  Layer Name:  %%14610  Layer Run-Time ID: 44

WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: DC1.classe.cornell.edu: The Windows Filtering Platform blocked a packet. Application Information:  Process ID:  880 Application Name: \device\harddiskvolume3\windows\system32\svchost.exe Network Information:  Direction:  %%14592  Source Address: 128.84.47.104  Source Port:  631  Destination Address: 128.84.47.255 Destination Port:  631  Protocol:  17  Filter Information:  Filter Run-Time ID: 71651  Layer Name:  %%14610  Layer Run-Time ID: 44

WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: DC1.classe.cornell.edu: The Windows Filtering Platform blocked a packet. Application Information:  Process ID:  880 Application Name: \device\harddiskvolume3\windows\system32\svchost.exe Network Information:  Direction:  %%14592  Source Address:  128.84.45.69 Source Port:  17500  Destination Address: 128.84.47.255  Destination Port:  17500  Protocol:  17  Filter Information:  Filter Run-Time ID: 71651  Layer Name:  %%14610  Layer Run-Time ID: 44

WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: DC1.classe.cornell.edu: The Windows Filtering Platform blocked a packet. Application Information:  Process ID:  880 Application Name: \device\harddiskvolume3\windows\system32\svchost.exe Network Information:  Direction:  %%14592  Source Address:  128.84.45.69 Source Port:  17500  Destination Address: 255.255.255.255  Destination Port:  17500  Protocol:  17  Filter Information:  Filter Run-Time ID: 71651  Layer Name:  %%14610  Layer Run-Time ID: 44

WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: DC1.classe.cornell.edu: The Windows Filtering Platform blocked a packet. Application Information:  Process ID:  880 Application Name: \device\harddiskvolume3\windows\system32\svchost.exe Network Information:  Direction:  %%14592  Source Address: 128.84.47.104  Source Port:  32931  Destination Address: 128.84.45.75 Destination Port:  389  Protocol:  6  Filter Information:  Filter Run-Time ID: 71651  Layer Name:  %%14610  Layer Run-Time ID: 44

WinEvtLog: Security: AUDIT_FAILURE(4768): Microsoft-Windows-Security-Auditing: (no user): no domain: DC2.classe.cornell.edu: A Kerberos authentication ticket (TGT) was requested. Account Information:  Account Name: evm23 Supplied Realm Name: CLASSE.CORNELL.EDU  User ID: S-1-0-0  Service Information:  Service Name:  krbtgt/CLASSE.CORNELL.EDU Service ID:  S-1-0-0  Network Information:  Client Address: ::ffff:128.84.45.47  Client Port:  53479  Additional Information: Ticket Options:  0x40810010  Result Code:  0x6  Ticket Encryption Type: 0xffffffff  Pre-Authentication Type: -  Certificate Information: Certificate Issuer Name:    Certificate Serial Number:   Certificate Thumbprint:    Certificate information is only provided if a certificate was used for pre-authentication.  Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

--Rob