I have an application and need to extract three different events: connect, command, disconnect.
I'm trying to get a decoder to work but even if i do a <regex>*</regex> is does not get picked up. I need to extract the username, port, ip address, command and the id of the user connecting/disconnecting/executing a command.
Sample log:
[Sat 19:24:16 INFO Event/User] usernameishere[/123.456.789:5432] logged in with user id 1046770 at ([h18n5]randomstringhere)
[Sat 19:24:33 INFO Event/User] usernameishere ran command: /command is here with spaces
[Sat 19:24:43 INFO Event/User] usernameishere lost connection: reasonhere
Since I'm pretty new to wazuh i have no idea what i did here:
<decoder name="login_decoder">
<parent>json</parent>
<regex>^\[\w+\s+\d+:\d+:\d+\s+(?<level>[A-Z]+)\s+Event\/User\]\s+(?<username>\S+)\[(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\:(?<port>\d+)\] logged in with user id (?<user_id>\d+) at \(\[\S+\](?:\S+)\)$</regex>
</decoder>
<decoder name="command_decoder">
<parent>json</parent>
<regex>^\[\w+\s+\d+:\d+:\d+\s+(?<level>[A-Z]+)\s+Event\/User\]\s+(?<username>\S+)\s+ran command:\s+(?<command>.*?)(?=\s+\[|\s*$)</regex>
</decoder>
<decoder name="disconnect_decoder">
<parent>json</parent>
<regex>^\[\w+\s+\d+:\d+:\d+\s+(?<level>[A-Z]+)\s+Event\/User\]\s+(?<username>\S+)\s+lost connection.*$</regex>
</decoder>
Any help or links are appreciated
