+
+<!-- apparmor
+ - Jun 24 10:35:29 hostname kernel: [49787.970285] audit: type=1400 audit(1403598929.839:88986): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/dovecot//null-1//null-2//null-4a6" name="/home/admin/mails/new/" pid=19973 comm="imap" requested_mask="r" denied_mask="r" fsuid=1003 ouid=1003
+ - Jul 14 11:03:47 hostname kernel: [ 8665.951930] type=1400 audit(1405328627.702:54): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/etc/xfce4/defaults.list" pid=16418 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
+ - Jun 16 17:37:39 hostname kernel: [891880.587623] audit: type=1400 audit(1402933059.038:1681857): apparmor="ALLOWED" operation="exec" profile="/usr/sbin/dovecot//null-1fde//null-1fdf" name="/usr/lib/dovecot/pop3-login" pid=13903 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/dovecot//null-1fde//null-1fdf//null-6b18"
+ - Jun 16 17:37:39 hostname kernel: [891880.587957] audit: type=1400 audit(1402933059.038:1681858): apparmor="ALLOWED" operation="open" profile="/usr/sbin/dovecot//null-1fde//null-1fdf//null-6b18" name="/usr/lib/dovecot/libdovecot-login.so.0.0.0" pid=13903 comm="pop3-login" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
+ - Jun 16 17:37:39 hostname kernel: [891880.587976] audit: type=1400 audit(1402933059.038:1681859): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/dovecot//null-1fde//null-1fdf//null-6b18" name="/usr/lib/dovecot/libdovecot-login.so.0.0.0" pid=13903 comm="pop3-login" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
+ - Jun 16 17:37:39 hostname kernel: [891880.587989] audit: type=1400 audit(1402933059.038:1681860): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/dovecot//null-1fde//null-1fdf//null-6b18" name="/usr/lib/dovecot/libdovecot-login.so.0.0.0" pid=13903 comm="pop3-login" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0
+ - Jun 23 20:46:15 hostname kernel: [ 11.103248] audit: type=1400 audit(1403549175.177:2): apparmor="STATUS" operation="profile_load" name="/sbin/klogd" pid=2185 comm="apparmor_parser"
+ - Jun 16 17:37:39 hostname kernel: [891880.587989] audit: type=1400 audit(1314853822.672:33649): apparmor="DENIED" operation="mknod" parent=27250 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/share/wordpress/1114140474e5f13bea68a4.tmp" pid=27289 comm="apache2" requested_mask="c" denied_mask="c" fsuid=33 ouid=33
+ - Jun 16 17:37:39 hostname kernel: [891880.587989] audit: type=1400 audit(1315353795.331:33657): apparmor="DENIED" operation="exec" parent=14952 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/lib/sm.bin/sendmail" pid=14953 comm="sh" requested_mask="x" denied_mask="x" fsuid=33 ouid=0
+-->
+
+<decoder name="apparmor">
+ <parent>iptables</parent>
+ <prematch> apparmor=</prematch>
+ <regex> apparmor="(\S+)" operation="(\S+)"</regex>
+ <order>status, extra_data</order>
+</decoder>
+
+<!-- unix_chkpwd
+ - Jul 21 07:40:29 localhost unix_chkpwd[15804]: password check failed for user (username)
+-->
+<decoder name="unix_chkpwd">
+ <program_name>^unix_chkpwd</program_name>
+</decoder>
+
+<!--Jul 21 07:40:29 localhost unix_chkpwd[15804]: password check failed for user (username)-->
+<decoder name="chkpwd-user">
+ <parent>unix_chkpwd</parent>
+ <regex offset="after_parent">user \((\w+)\)$</regex>
+ <order>srcuser</order>
+</decoder>
+
+<!-- Barracuda S&VF Email Logs
+Examples:
+May 14 03:31:21 mx1.example.org inbound/pass1: mail-88-66.reachmail.net[216.55.88.66] 1400074281-06f4a338c037a90001-TkCAQV 1400074281 1400074283 RECV errors@mail-88-68.reachmail.net eteixeira@example.net 2 12 -
+May 15 14:09:17 mx1.example.org inbound/pass1: host.limitless-servers.com[192.208.186.41] 1400198954-06f4a338c062640001-BkZagu 1400198954 1400198958 SCAN - heartattackbreakthrough@ridchanceofhrtattk.us en@example.org - 2 74 ridchanceofhrtattk.us SZ:2557 SUBJ:THE #1 Trick to Prevent Heart-Attacks Revealed???
+May 16 10:12:29 mx1.example.org inbound/pass1: kumarafoundation.hestoe.com[208.123.118.114] 1400271149-06f4a338c07a210001-QwTJwG 1400271149 1400271151 SCAN - EzekielMack@kumarafoundation.hestoe.com ctakesue@example.org - 2 74 hestoe.com SZ:1917 SUBJ:Bad Economy, Bad Rates - Get An Auto Insurance Quotes Today
+May 13 01:20:44 mx1.example.org scan: salmon.emxp002.net[174.123.35.182] 1399980039-06f4a338c019db0001-ZAPlzU 1399980040 1399980045 SCAN - errors@mermaid.emxp002.net PTAUA@HINGYCA.ORG 1.636 0 0 - SZ:86808 SUBJ:ATTN PASILA: URGENT FUNDING AVAILABLE
+May 14 09:39:30 mx1.example.org scan: mc.eau.lormaneducation.com[64.198.99.4] 1400096370-06f4a338c040390001-vQoliC 1400096370 1400096372 SCAN - bounce-201405143661297864@mc.eau.lormaneducation.com tmoriyasu@dod.hawaii.gov 0.401 0 0 - SZ:22001 SUBJ:Contractor's Dilemma of Dealing With Bad Plans and Specs - OnDemand Webinar
+May 16 10:56:04 mx1.example.org scan: smtp133.elabs13.com[74.116.235.133] 1400273757-06f4a338c07b490001-CBNzJg 1400273757 1400273765 SCAN - newsletter@email.cnbc.com tcolwell@example.net 0.402 0 0 - SZ:26609 SUBJ:=?utf-8?Q?"Failure=20to=20Recall:=20Investigating=20GM"=20Premier?==?utf-8?Q?es=20Sunday=2010p=20ET/PT?=
+Jul 26 10:39:36 mx1.example.org outbound/smtp: 127.0.0.1 1406407176-06f4a35b4d10f2c0001-EGYtgK 0 0 SEND - 3 A90EBA1F1BA connect to dnvrco-pub-iedge-vip.email.rr.com[107.14.73.70]: server refused mail service
+Jul 26 13:38:16 mx1.example.org outbound/smtp: 127.0.0.1 1406248798-06f4a35b4de6bd0001-3QeedR 0 0 SEND - 3 68EC0A1F1A3 Name service error for name=conference.preventchildabusetexas.org type=MX: Host not found, try again
+Jul 26 13:57:56 mx1.example.org outbound/smtp: 127.0.0.1 1406297159-06f4a35b4df2000001-PDxQZ2 0 0 SEND - 3 A194BA1F1AC connect to qw.eau.lormanwebinars.com[63.232.201.60]: Connection refused
+-->
+
+<decoder name="barracuda-svf-email">
+ <program_name>^inbound/pass|^scan|^outbound/smtp</program_name>
+</decoder>
+
+<decoder name="barracuda-svf1">
+ <parent>barracuda-svf-email</parent>
+ <prematch>^\S+[\S+]|</prematch>
+ <prematch>^\S+</prematch>
+ <regex>^\S+[(\S+)] (\d+-\w+-\w+) \d+ \d+ |</regex>
+ <regex>^(\S+) (\d+-\w+-\w+) \d+ \d+ </regex>
+ <order>srcip, id</order>
+</decoder>
+
+<!-- Info section - SCAN -->
+<decoder name="barracuda-svf1">
+ <parent>barracuda-svf-email</parent>
+ <regex offset="after_regex">(SCAN) (\S+ \S+ \S+ \S+ \d+ \d+ \.+ SUBJ:\.+)$</regex>
+ <order>action, extra_data</order>
+</decoder>
+
+<!-- Info section RECV -->
+<decoder name="barracuda-svf1">
+ <parent>barracuda-svf-email</parent>
+ <regex offset="after_regex">(RECV) (\S+ \S+ \d+ \d+ \.+)$</regex>
+ <order>action, extra_data</order>
+</decoder>
+
+<!-- Info section SEND -->
+<decoder name="barracuda-svf1">
+ <parent>barracuda-svf-email</parent>
+ <regex offset="after_regex">(SEND) (\S+ \d+ \S+ \.+)$</regex>
+ <order>action, extra_data</order>
+</decoder>
+
+<!-- Barracuda S&VF Administration-->
+
+<decoder name="barracuda-svf-admin">
+ <program_name>^web</program_name>
+</decoder>
+
+<decoder name="barracuda-svf-admin-change">
+ <parent>barracuda-svf-admin</parent>
+ <prematch>^[\S+] global[] CHANGE</prematch>
+ <regex offset="after_parent">^[(\S+)] global[] (CHANGE) (\S+ \(\S*)\)$</regex>
+ <order>srcip,action,extra_data</order>
+</decoder>
+
+<decoder name="barracuda-svf-admin-auth">
+ <parent>barracuda-svf-admin</parent>
+ <prematch>^[\S+] LOGIN|</prematch>
+ <prematch>^[\S+] FAILED_LOGIN|</prematch>
+ <prematch>^[\S+] LOGOUT</prematch>
+ <regex offset="after_parent">^[(\S+)] (\S+) \((\S+)\)\p*$</regex>
+ <order>srcip,action,user</order>
+</decoder>
+
+
+<!--
+ - Decoder for Sysmon Event ID 1: Process Created
+ - Maintained by Josh Brower, Josh@DefensiveDepth.com
+ -
+ - OSSEC to Sysmon Fields Mapping:
+ - user = User
+ - status = Image
+ - url = Hash
+ - extra_data = ParentImage
+
+ - Examples:
+ - 2014 Dec 20 14:29:48 (HME-TEST-01) 10.0.15.14->WinEvtLog 2014 Dec 20 09:29:47 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-U93G48C7BOP: Process Create: UtcTime: 12/20/2014 2:29 PM ProcessGuid: {00000000-87DB-5495-0000-001045F25A00} ProcessId: 3048 Image: C:\Windows\system32\svchost.exe CommandLine: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Administrator\Desktop\ossec.log User: WIN-U93G48C7BOP\Administrator LogonGuid: {00000000-84B8-5494-0000-0020CB330200} LogonId: 0x233CB TerminalSessionId: 1 IntegrityLevel: High HashType: SHA1 Hash: 9FEF303BEDF8430403915951564E0D9888F6F365 ParentProcessGuid: {00000000-84B9-5494-0000-0010BE4A0200} ParentProcessId: 848 ParentImage: C:\Windows\Explorer.EXE ParentCommandLine: C:\Windows\Explorer.EXE
+-->
+
+<decoder name="Sysmon-EventID#1">
+<type>windows</type>
+<prematch>INFORMATION\(1\)</prematch>
+<regex offset="after_prematch">Image: (\.*) \s*CommandLine: \.* \s*User: (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*) \s*ParentCommandLine:</regex>
+<order>status,user,url,data</order>
+</decoder>
+
+<!-- Squid access log decoder.
+ - Will extract the srcip.
+ - Author: Ahmet Ozturk
+ - Examples:
+ - 1140701044.525 1231 192.168.1.201 TCP_DENIED/400 1536
+ GET ahmet - NONE/- text/html
+ - 1140701230.827 781 192.168.1.210 TCP_DENIED/407 1785
+ GET http://www.ossec.net oahmet NONE/- text/html
+ -->
+<decoder name="squid-accesslog">
+ <type>squid</type>
+ <prematch>^\d+ \S+ </prematch>
+ <regex>^\d+ (\S+) (\w+)/(\d+) \d+ \w+ (\S+) </regex>
+ <order>srcip,action,id,url</order>
+</decoder>
+
+<!-- unbound
+ - 2014-05-20T09:01:07.283219-04:00 arrakis unbound: [9405:0] notice: sendto failed: Can't assign requested address
+ - 2014-07-14T14:00:02.814490-04:00 arrakis unbound: [2541:0] info: 127.0.0.1 talkgadget.google.com. A IN
+ - 2014-07-14T14:00:05.507848-04:00 arrakis unbound: [2541:0] info: server stats for thread 0: 3 queries, 2 answers from cache, 1 recursions, 0 prefetch
+ - 2014-07-14T14:00:05.507955-04:00 arrakis unbound: [2541:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
+ - 2014-07-14T14:00:05.508075-04:00 arrakis unbound: [2541:0] info: average recursion processing time 0.038814 sec
+ - 2014-07-14T14:00:05.508166-04:00 arrakis unbound: [2541:0] info: histogram of recursion processing times
+ - 2014-07-14T14:00:05.508248-04:00 arrakis unbound: [2541:0] info: [25%]=0 median[50%]=0 [75%]=0
+ - 2014-07-14T14:00:05.508333-04:00 arrakis unbound: [2541:0] info: lower(secs) upper(secs) recursions
+ - 2014-07-14T14:00:05.508414-04:00 arrakis unbound: [2541:0] info: 0.032768 0.065536 1
+ - 2014-07-14T15:05:07.520229-04:00 arrakis unbound: [2541:0] info: 127.0.0.1 github.com. AAAA IN
+-->
+
+
+<decoder name="unbound">
+ <program_name>^unbound</program_name>
+</decoder>
+
+<decoder name="unbound-a">
+ <parent>unbound</parent>
+ <regex> info: (\S+) (\S+). A IN$| info: (\S+) (\S+) AAAA IN$</regex>
+ <order>srcip,url</order>
+</decoder>
+
+<!-- OpenBSD doas -->
+<decoder name="doas">
+ <program_name>^doas</program_name>
+</decoder>
+
+<decoder name="doas-user">
+ <parent>doas</parent>
+ <regex>^(\S+) ran| for (\S+):</regex>
+ <order>srcuser</order>
+</decoder>
+
+<decoder name="doas-user">
+ <parent>doas</parent>
+ <regex offset="after_parent"> as (\S+): </regex>
+ <order>dstuser</order>
+</decoder>
+
+<!-- Exim
+ - Examples:
+ - 2017-01-23 03:44:14 dovecot_login authenticator failed for (hydra) [10.101.1.18]:35686: 535 Incorrect authentication data (set_id=user)
+ - 2017-01-24 05:22:29 dovecot_plain authenticator failed for (test) [::1]:39454: 535 Incorrect authentication data (set_id=test)
+ - 2017-01-24 03:09:46 SMTP connection from [10.101.1.10]:55010 (TCP/IP connection count = 1)
+ - 2017-01-24 02:53:13 SMTP connection from (hydra) [10.101.1.10]:53682 lost
+ - 2017-01-24 05:36:23 SMTP call from (000000) [::1]:39480 dropped: too many syntax or protocol errors (last command was "123")
+-->
+
+<decoder name="exim-authfailed">
+ <parent>windows-date-format</parent>
+ <prematch offset="after_parent">authenticator failed</prematch>
+ <regex offset="after_prematch">[(\S+)]:\d+: \d+ Incorrect authentication data \(set_id=(\w+)\)</regex>
+ <order>srcip,user</order>
+</decoder>
+
+<decoder name="exim-connect">
+ <parent>windows-date-format</parent>
+ <prematch offset="after_parent">^SMTP connection from </prematch>
+ <regex offset="after_prematch">[(\S+)]:\d+ \(TCP/IP connection count</regex>
+ <order>srcip</order>
+</decoder>
+
+<decoder name="exim-disconnect">
+ <parent>windows-date-format</parent>
+ <prematch offset="after_parent">^SMTP connection from </prematch>
+ <regex offset="after_prematch">[(\S+)]:\d+ lost</regex>
+ <order>srcip</order>
+</decoder>
+
+<decoder name="exim-syntax-errors">
+ <parent>windows-date-format</parent>
+ <prematch offset="after_parent">^SMTP call from </prematch>
+ <regex offset="after_prematch">[(\S+)]:\d+ dropped: too many syntax or protocol errors</regex>
+ <order>srcip</order>
+</decoder>
+
+<!-- NSD
+ - Aug 11 13:21:46 ix nsd[16565]: server initialization failed, nsd could not be started
+ - Aug 11 13:22:14 ix nsd[13816]: blocked.hosts:2: syntax error
+ - Aug 11 13:22:14 ix nsd[13816]: blocked.hosts:2: unrecognized RR type 'name:'
+ - Aug 12 09:01:00 junction.example.com nsd[7405]: NSTATS 1439384460 1439314258 A=1 AAAA=1
+ - Aug 12 09:01:00 junction.example.com nsd[7405]: XSTATS 1439384460 1439314258 RR=0 RNXD=0 RFwdR=0 RDupR=0 RFail=0 RFErr=0 RErr=0 RAXFR=0 RLame=0 ROpts=0 SSysQ=0 SAn
+s=2 SFwdQ=0 SDupQ=0 SErr=0 RQ=2 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=0 SFwdR=0 SFail=0 SFErr=0 SNaAns=0 SNXD=0 RUQ=0 RURQ=0 RUXFR=0 RUUpd=0
+ - Dec 16 12:51:17 pine nsd[90235]: xfrd: zone example.com received error code NOT IMPL from 192.168.17.9@153
+-->
+
+<decoder name="nsd">
+ <program_name>^nsd</program_name>
+</decoder>
+
+<decoder name="nsd-from">
+ <parent>nsd</parent>
+ <regex> from (\S+)@| from (\S+)</regex>
+ <order>srcip</order>
+</decoder>
+
+<!-- ownCloud
+ - Examples owncloud.log (Note that the syntax of failed login logs differs between oler and newer ownCloud versions):
+ - {"reqId":"Jrd4fkwIcXhVjtP8qODR","level":2,"time":"2017-09-20T15:44:23+02:00","remoteAddr":"127.0.0.1","user":"--","app":"core","method":"POST","url":"\/login","message":"Login failed: 'admin' (Remote IP: '127.0.0.1')"}
+ - {"reqId":"wlioIFa6pOvt6DIAoeHE","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1')","level":2,"time":"2016-04-12T22:28:20+02:00","method":"POST","url":"\/","user":"--"}
+ - {"reqId":"prLlx9+QIfl1jHtz9C5o","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1')","level":2,"time":"2015-07-08T12:12:41+02:00"}
+ - {"reqId":"wLP7a3MdzTo8wgCWret9","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1')","level":2,"time":"2015-07-15T09:40:35+02:00","method":"POST","url":"\/"}
+ - {"reqId":"prLlx9+QIfl1jHtz9C5o","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1)","level":2,"time":"2015-07-08T12:12:41+02:00"}
+ - {"reqId":"wLP7a3MdzTo8wgCWret9","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1)","level":2,"time":"2015-07-15T09:40:35+02:00","method":"POST","url":"\/"}
+ - {"reqId":"f7906a8355f496e3a1947d7839c4a2c3","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:17:43+00:00"}
+ - {"reqId":"9f8edc5558b2b4f8628663d83a092a7f","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:19:02 - +00:00","method":"POST","url":"\/cloud\/index.php"}
+ - {"app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:16:29+00:00"}
+ - {"reqId":"5576a04643d8e","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:13:58+00:00","method":"POST","url":"\/owncloud\/index.php"}
+ - {"app":"core","message":"Login failed: user 'admin' , wrong password, IP:127.0.0.1","level":2,"time":"2015-06-09T08:10:29+00:00"}
+ - {"reqId":"55769fcacd1e0","app":"core","message":"Login failed: user 'admin' , wrong password, IP:127.0.0.1","level":2,"time":"2015-06-09T08:11:54+00:00","method":"POST","url":"\/owncloud\/index.php"}
+ - {"reqId":"BaW6nfA5rHBoihjDtQVm","remoteAddr":"127.0.0.1","app":"core-preview","message":"Passed filename is not valid, might be malicious (file:\"test\";ip:\"127.0.0.1\")","level":2,"time":"2017-09-01T22:11:25+02:00","method":"POST","url":"\/login","user":"--"}
+ - {"reqId":"4ETnKW0UyDBNmL4z\/umV","remoteAddr":"127.0.0.1","app":"PHP","message":"Redis::connect(): connect() failed: No such file or directory at \/var\/www\/owncloud\/lib\/private\/RedisFactory.php#60","level":3,"time":"2017-08-21T16:00:34+02:00","method":"PROPFIND","url":"\/remote.php\/dav\/addressbooks\/users\/admin\/example\/","user":"admin"}
+ - {"reqId":"4j2DKpvOh0OezXVwfuLO","remoteAddr":"127.0.0.1","app":"PHP","message":"fopen(\/var\/www\/owncloud\/data\/user 1\/thumbnails\/1234\/32-32.png): failed to open stream: No such file or directory at \/var\/www\/owncloud\/lib\/private\/Files\/Storage\/Local.php#278","level":3,"time":"2017-07-15T23:59:20+02:00","method":"GET","url":"\/core\/preview.png?file=%2Fexample.txt&c=123&x=32&y=32&forceIcon=0","user":"user 1"}
+
+ - Examples syslog:
+ - Sep 1 20:16:09 foo ownCloud[15463]: {core} Login failed: 'test' (Remote IP: '127.0.0.1')
+ - Sep 1 22:16:33 foo ownCloud[15467]: {core-preview} Passed filename is not valid, might be malicious (file:"test";ip:"127.0.0.1")
+-->
+
+<decoder name="owncloud">
+ <prematch>^{"reqId":"\S+","message":"\.+","level":\d,"time":"\.+"}$|^{"app":"\S+","message":"\.+","level":\d,"time":"\.+"}$|^{"reqId":"\S+","level":\d,"time":"\S+","message":"\.+"}$</prematch>
+</decoder>
+
+<!-- Note: This defaults to "ownCloud" but users can change the syslog tag: https://github.com/owncloud/core/blob/v10.0.2/config/config.sample.php#L608-L614 -->
+<decoder name="owncloud">
+ <program_name>^ownCloud</program_name>
+</decoder>
+
+<decoder name="owncloud-failed1">
+ <parent>owncloud</parent>
+ <prematch>Login failed: user </prematch>
+ <regex offset="after_prematch">^'(\w+)' , wrong password, IP:(\d+.\d+.\d+.\d+)</regex>
+ <order>user, srcip</order>
+</decoder>
+
+<decoder name="owncloud-failed2">
+ <parent>owncloud</parent>
+ <prematch>Login failed: </prematch>
+ <regex offset="after_prematch">^'(\w+)' \(Remote IP: '(\d+.\d+.\d+.\d+)</regex>
+ <order>user, srcip</order>
+</decoder>
+
+<decoder name="owncloud-malicious">
+ <parent>owncloud</parent>
+ <prematch>Passed filename is not valid, might be malicious </prematch>
+ <regex offset="after_prematch">;ip:"(\d+.\d+.\d+.\d+)|;ip:\\"(\d+.\d+.\d+.\d+)</regex>
+ <order>srcip</order>
+</decoder>
+
+<decoder name="owncloud-loglevel">
+ <parent>owncloud</parent>
+ <prematch>","level":</prematch>
+ <regex offset="after_prematch">^(\d),"</regex>
+ <order>status</order>
+</decoder>
+
+<!-- psad
+ - Examples: (Note: IPv6 untested)
+ - Sep 8 22:52:30 sni psad: scan detected (Nmap -sT or -sS scan): 212.83.152.232 -> 1.2.3.4 tcp: [21943] flags: SYN tcp pkts: 3 DL: 3
+ - Sep 9 08:36:30 sni psad: src: 62.210.167.199 signature match: "BACKDOOR DoomJuice file upload attempt" (sid: 2375) tcp port: 3180
+ - Sep 9 08:36:30 sni psad: scan detected (Masscan SYN scan): 62.210.167.199 -> 1.2.3.4 tcp: [3320-62210] flags: SYN tcp pkts: 10 DL: 3
+ - Sep 3 14:18:52 sni psad: scan detected ( -sU scan): 192.168.1.42 -> 239.255.255.250 udp: [1900] udp pkts: 16 DL: 3
+ - Sep 4 11:33:23 sni psad: src: 46.17.46.8 signature match: "MISC Microsoft PPTP communication attempt" (sid: 100082) tcp port: 1723
+ - Sep 4 11:33:23 sni psad: src: 46.17.46.8 signature match: "DOS iParty DOS attempt" (sid: 1605) tcp port: 6004
+ - Sep 4 11:33:23 sni psad: src: 46.17.46.8 signature match: "DOS Real Audio Server communication attempt" (sid: 100112) tcp port: 7070
+ - Sep 4 11:33:23 sni psad: src: 46.17.46.8 signature match: "BACKDOOR DoomJuice file upload attempt" (sid: 2375) tcp port: 3129
+ - Aug 9 16:46:32 dsc psad: message repeated 2 times: [ scan detected (Nmap -sT or -sS scan): 10.1.0.15 -> 192.168.1.18 tcp: [80] flags: SYN tcp pkts: 3 DL: 3]example logs:
+-->
+
+<decoder name="psad">
+ <program_name>psad</program_name>
+</decoder>
+
+<decoder name="psad-scan">
+ <parent>psad</parent>
+ <prematch>^scan detected </prematch>
+ <regex offset="after_prematch"> (\S+) -> (\S+) \.+ DL: (\d)</regex>
+ <order>srcip,dstip,status</order>
+</decoder>
+
+<decoder name="psad-repeated">
+ <parent>psad</parent>
+ <prematch>^message repeated</prematch>
+ <regex offset="after_prematch"> (\S+) -> (\S+) \.+ DL: (\d)</regex>
+ <order>srcip,dstip,status</order>
+</decoder>
+
+<decoder name="psad-signature">
+ <parent>psad</parent>
+ <prematch>signature match: </prematch>
+ <regex offset="after_parent">src: (\S+) signature match: \.+ port: (\d+)</regex>
+ <order>srcip,dstport</order>
+</decoder>
+
+<!-- Proxmox Virtual Environment (Proxmox VE)
+ - Examples syslog:
+ - Sep 10 22:12:41 example pvedaemon[6427]: authentication failure; rhost=192.168.0.1 user=root@pam msg=Authentication failure
+ - Sep 10 22:12:49 example pvedaemon[6428]: authentication failure; rhost=192.168.0.1 user=root@pve msg=no such user ('root@pve')
+ - Sep 10 22:12:54 example pvedaemon[6428]: <root@pam> successful auth for user 'root@pam'
+ - Sep 10 22:13:44 example pvedaemon[6427]: <root@pam> starting task UPID:example:00000000:11111111:22222222:vzstart:100:root@pam:
+ - Sep 10 22:13:44 example pvedaemon[13735]: starting CT 100: UPID:example:00000000:11111111:22222222:vzstart:100:root@pam:
+ - Sep 10 22:13:46 example pvedaemon[6427]: <root@pam> end task UPID:example:00000000:11111111:22222222:vzstart:100:root@pam: OK
+ - Sep 10 22:13:47 example pvestatd[1892]: modified cpu set for lxc/100: 4
+ - Sep 10 06:25:44 example pveproxy[15342]: received signal TERM
+ - Sep 10 06:25:44 example pveproxy[15342]: server closing
+ - Sep 10 06:25:44 example pveproxy[15345]: worker exit
+ - Sep 10 06:25:44 example pveproxy[15344]: worker exit
+ - Sep 10 06:25:44 example pveproxy[15343]: worker exit
+ - Sep 10 06:25:44 example pveproxy[15342]: worker 15343 finished
+ - Sep 10 06:25:44 example pveproxy[15342]: worker 15344 finished
+ - Sep 10 06:25:44 example pveproxy[15342]: worker 15345 finished
+ - Sep 10 06:25:44 example pveproxy[15342]: server stopped
+ - Sep 10 06:25:45 example pveproxy[22375]: Using '/etc/pve/local/pveproxy-ssl.pem' as certificate for the web interface.
+ - Sep 10 06:25:45 example pveproxy[22413]: starting server
+ - Sep 10 06:25:45 example pveproxy[22413]: starting 3 worker(s)
+ - Sep 10 06:25:45 example pveproxy[22413]: worker 22414 started
+ - Sep 10 06:25:45 example pveproxy[22413]: worker 22415 started
+ - Sep 10 06:25:45 example pveproxy[22413]: worker 22416 started
+ - Sep 10 06:25:47 example pvepw-logger[15428]: received terminate request (signal)
+ - Sep 10 06:25:47 example pvepw-logger[15428]: stopping pvefw logger
+ - Sep 10 06:25:48 example pvepw-logger[22551]: starting pvefw logger
+-->
+
+<decoder name="pvedaemon">
+ <program_name>^pvedaemon</program_name>
+</decoder>
+
+<decoder name="pvestatd">
+ <program_name>^pvestatd</program_name>
+</decoder>
+
+<decoder name="pveproxy">
+ <program_name>^pveproxy</program_name>
+</decoder>
+
+<decoder name="pvepw-logger">
+ <program_name>^pvepw-logger</program_name>
+</decoder>
+
+<decoder name="pvedaemon-auth-failed">
+ <parent>pvedaemon</parent>
+ <prematch>authentication failure; </prematch>
+ <regex offset="after_prematch">^rhost=(\S+) user=(\S+)@pam msg=|^rhost=(\S+) user=(\S+)@pve msg=</regex>
+ <order>srcip, user</order>
+</decoder>
+
+<decoder name="pvedaemon-auth-success">
+ <parent>pvedaemon</parent>
+ <prematch>successful auth for user '</prematch>
+ <regex offset="after_prematch">^(\S+)@pam'$|^(\S+)@pve'$</regex>
+ <order>user</order>
+</decoder>
+
+<decoder name="dhcpd">
+ <program_name>^dhcpd$</program_name>
+</decoder>
+
+<decoder name="dhcpd-data">
+ <parent>dhcpd</parent>
+ <regex offset="after_parent">^(\S+) \S+ (\S+) \S+ (\S+) via (\S+)$</regex>
+ <order>action, srcip, extra_data, extra_data</order>
+</decoder>
+
+<decoder name="dhcpd-ack">
+ <parent>dhcpd</parent>
+ <prematch> acking </prematch>
+ <regex offset="after_parent">already acking lease (\S+)</regex>
+ <order>srcip</order>
+</decoder>
+
+<decoder name="dhcpd-release">
+ <parent>dhcpd</parent>
+ <prematch>^IP address</prematch>
+ <regex offset="after_parent">^IP address (\S+) </regex>
+ <order>srcip</order>
+</decoder>
+
+<!-- OpenBSD httpd -->
+<decoder name="openbsd-httpd">
+ <prematch> [\d+/\w+/\d+:\d+:\d+:\d+ -\d+] "</prematch>
+ <regex>^(\S+) (\S+) \S+ \S+ [\d+/\w+/\d+:\d+:\d+:\d+ -\d+] "(\S+) (\S+) HTTP/\d.\d" (\d+) \d$</regex>
+ <order>url, srcip, protocol, url, status</order>
+ <type>web-log</type>
+</decoder>
+
+<!-- dnsmasq -->
+<decoder name="dnsmasq">
+ <!--<program_name>^dnsmasq</program_name>-->
+ <prematch>^dnsmasq</prematch>
+</decoder>
+
+<decoder name="dnsmasq2">
+ <parent>dnsmasq</parent>
+ <regex offset="after_parent">^[\d+]: \d+ (\S+)/\d+ (\S+) (\S+) to (\S+)|</regex>
+ <regex>^[\d+]: \d+ (\S+)/\d+ (\S+) (\S+) from (\S+)|</regex>
+ <regex>^[\d+]: \d+ (\S+)/\d+ (\S+) (\S+) is (\S+)</regex>
+ <order>srcip, action, url, extra_data</order>
+</decoder>
+
+<!-- Kaspersky Endpoint Security 10 for Linux -->
+<!-- Kesl example Logs -->
+<!-- Nov 5 00:11:21 hostname kesl: {"EventType": "AVBasesAreTotallyOutOfDate","EventId": "27336","TaskName": "Update","TaskId": "6","AVBasesDate": "2018-10-17 09:49:00"} -->
+<!-- Oct 25 13:11:21 hostname kesl: {"EventType": "AVBasesAreOutOfDate","EventId": "27311","TaskName": "Update","TaskId": "6","AVBasesDate": "2018-10-17 09:49:00"} -->
+<!-- Nov 10 13:19:27 hostname kesl: {"EventType": "UpdateError","EventId": "27381","TaskType": "Update","TaskName": "Update","TaskId": "6","RuntimeTaskId": "120"} -->
+<!-- Nov 10 13:22:09 hostname kesl: {"EventType": "ThreatDetected","EventId": "27384","DetectName": "EICAR-Test-File","DetectType": "Virware","DetectCertainty": "Sure","DetectSource": "Local","FileName": "/home/userlogin/eicar.com","ObjectName": "File","TaskId": "1","RuntimeTaskId": "20","TaskName": "File_Monitoring","TaskType": "OAS","AccessUser": "root","AccessUserId": "0","FileOwner": "root","FileOwnerId": "0"} -->
+<!-- Nov 14 13:50:01 hostname kesl: {"EventType": "ObjectSavedToBackup","EventId": "27448","FileName": "/home/userlogin/eicar.com","ObjectName": "File","TaskId": "1","RuntimeTaskId": "126","TaskName": "File_Monitoring","TaskType": "OAS","AccessUser": "userlogin","AccessUserId": "1000","FileOwner": "root","FileOwnerId": "0"} -->
+<!-- Nov 14 13:50:01 hostname kesl: {"EventType": "ObjectNotDisinfected","EventId": "27449","ObjectNotDisinfectedReason": "NonCurable","FileName": "/home/userlogin/eicar.com","ObjectName": "File","TaskId": "1","RuntimeTaskId": "126","TaskName": "File_Monitoring","TaskType": "OAS","AccessUser": "userlogin","AccessUserId": "1000","FileOwner": "root","FileOwnerId": "0"} -->
+<!-- Nov 14 13:50:01 hostname kesl: {"EventType": "ObjectDeleted","EventId": "27450","FileName": "/home/userlogin/eicar.com","ObjectName": "File","TaskId": "1","RuntimeTaskId": "126","TaskName": "File_Monitoring","TaskType": "OAS","AccessUser": "userlogin","AccessUserId": "1000","FileOwner": "root","FileOwnerId": "0"} -->
+<!-- Nov 14 12:44:04 hostname kesl: {"EventType": "TaskStateChanged","EventId": "27438","TaskName": "Update","TaskType": "Update","TaskId": "6","TaskState": "Starting","PrevTaskState": "Stopped","TaskRequestInitiator": "User","RuntimeTaskId": "127"} -->
+<!-- Nov 14 12:44:04 hostname kesl: {"EventType": "TaskStateChanged","EventId": "27439","TaskName": "Update","TaskType": "Update","TaskId": "6","TaskState": "Started","PrevTaskState": "Starting","TaskRequestInitiator": "User","RuntimeTaskId": "127"} -->
+
+<decoder name="kesl">
+ <program_name>^kesl</program_name>
+</decoder>
+
+<decoder name="kesl-avbases-old">
+ <parent>kesl</parent>
+ <prematch>^\p\pEventType\p: \p\S+\p,\pEventId\p: \p\d+\p,\pTaskName\p: \p\S+\p,\pTaskId\p: \p\d+\p,\pAVBasesDate\p: \p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p\p</prematch>
+ <regex offset="after_parent">^\p\pEventType\p: \p(\S+)\p,\pEventId\p: \p(\d+)\p,\pTaskName\p: \p(\S+)\p,\pTaskId\p: \p\d+\p,\pAVBasesDate\p: \p(\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)\p\p</regex>
+ <order>status, id, action, extra_data</order>
+</decoder>
+
+<decoder name="kesl-threat-detected">
+ <parent>kesl</parent>
+ <prematch>^\p\pEventType\p: \p\S+\p,\pEventID\p: \p\d+\p,\pDetectName\p: \p\S+\p,\pDetectType\p: \p\S+\p,\pDetectCertainty\p: \p\S+\p,\pDetectSource\p: \p\S+\p,\pFileName\p: \p\S+,\pObjectName\p: \p\S+\p,\pTaskId\p: \p\d+\p,\pRuntimeTaskId\p: \p\d+\p,\pTaskName\p: \p\S+\p,\pTaskType\p: \p\S+\p,\pAccessUser\p: \p\S+\p,\pAccessUserId\p: \p\d+\p,\pFileOwner\p: \p\S+\p,\pFileOwnerId\p: \p\d+\p\p</prematch>
+ <regex offset="after_parent">^\p\pEventType\p: \p(\S+)\p,\pEventID\p: \p(\d+)\p,\pDetectName\p: \p\S+\p,\pDetectType\p: \p\S+\p,\pDetectCertainty\p: \p(\S+)\p,\pDetectSource\p: \p\S+\p,\pFileName\p: \S+,\pObjectName\p: \p\S+\p,\pTaskId\p: \p\d+\p,\pRuntimeTaskId\p: \p\d+\p,\pTaskName\p: \p\S+\p,\pTaskType\p: \p(\S+)\p,\pAccessUser\p: \p\S+\p,\pAccessUserId\p: \p\d+\p,\pFileOwner\p: \p\S+\p,\pFileOwnerId\p: \p\d+\p\p</regex>
+ <order>status, id, extra_data, action</order>
+</decoder>
+
+<decoder name="kesl-taskstatechange">
+ <parent>kesl</parent>
+ <prematch>^\p\pEventType\p: \p\S+\p,\pEventId\p: \p\d+\p,\pTaskName\p: \p\S+\p,\pTaskType\p: \p\S+\p,\pTaskId\p: \p\d+\p,\pTaskState\p: \p\S+\p,\pPrevTaskState\p: \p\S+\p,\pTaskRequestInitiator\p: \p\S+\p,\pRuntimeTaskId\p: \p\d+\p\p</prematch>
+ <regex offset="after_parent">^\p\pEventType\p: \p(\S+)\p,\pEventId\p: \p(\d+)\p,\pTaskName\p: \p\S+\p,\pTaskType\p: \p(\S+)\p,\pTaskId\p: \p\d+\p,\pTaskState\p: \p(\S+)\p,\pPrevTaskState\p: \p\S+\p,\pTaskRequestInitiator\p: \p(\S+)\p,\pRuntimeTaskId\p: \p\d+\p\p</regex>
+ <order>action, id, extra_data, status, srcuser</order>
+</decoder>
+
+<!-- MHN - Json log decoder - Dionaea -->
+<!-- include /var/log/mhn/mhn-json.log to ossec.conf -->
+<!-- {"direction": "inbound", "protocol": "ip", "ids_type": "network", "timestamp": "2018-09-14T11:02:54.215411", "dionaea_action": "reject", "type": "dionaea.connections", "app": "dionaea", "src_ip": "16.10.10.10", "vendor_product": "Dionaea", "dest_port": 365, "signature": "Connection to Honeypot", "src_port": 45302, "dest_ip": "16.10.10.11", "sensor": "5e7031cf-b74d-22f9-57e0-254166752457", "transport": "tcp", "severity": "high"} -->
+<decoder name="dionaea">
+ <prematch>dionaea.connections</prematch>
+ <regex>^{\pdirection\p: \p(\S+)\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p\S+\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d\.\d+\p, \pdionaea_action\p: \p(\S+)\p, \ptype\p: \pdionaea.connections\p, \papp\p: \pdionaea\p, \psrc_ip\p: "(\S+)", \pvendor_product\p: \pDionaea\p, \pdest_port\p: (\d+), \psignature\p: \p\.+\p, \psrc_port\p: (\d+), \pdest_ip\p: "(\S+)", \psensor\p: \S+, \ptransport\p: \p\S+\p, \pseverity\p: \p\S+\p}</regex>
+ <order>extra_data, protocol, action, srcip, dstport, srcport, dstip</order>
+</decoder>
+
+<!-- MHN - Json log decoder - Cowrie -->
+<!-- include /var/log/mhn/mhn-json.log to ossec.conf -->
+<!-- {"direction": "inbound", "protocol": "ip", "ids_type": "network", "ssh_username": "admin", "app": "cowrie", "transport": "tcp", "dest_port": 22, "src_port": 45302, "severity": "high", "timestamp": "2018-10-23T11:22:36.597864", "vendor_product": "Cowrie", "sensor": "5e7031cf-b74d-22f9-57e0-254166752457", "src_ip": "16.10.10.10", "ssh_password": "password", "signature": "SSH login attempted on cowrie honeypot", "ssh_version": "'SSH-2.0-Sun_SSH_1.1.4'", "type": "cowrie.sessions", "dest_ip": "16.10.10.11"} -->
+<!-- {"direction": "inbound", "protocol": "ip", "ids_type": "network", "timestamp": "2018-10-23T07:45:56.937787", "vendor_product": "Cowrie", "type": "cowrie.sessions", "app": "cowrie", "src_ip": "16.10.10.10", "dest_port": 22, "signature": "SSH session on cowrie honeypot", "ssh_version": "'SSH-2.0-Sun_SSH_1.1.4'", "src_port": 45302, "dest_ip": "16.10.10.11", "sensor": "5e7031cf-b74d-22f9-57e0-254166752457", "transport": "tcp", "severity": "high"} -->
+<!-- {"direction": "inbound", "protocol": "ip", "ids_type": "network", "timestamp": "2018-11-14T10:32:38.686578", "app": "cowrie", "transport": "tcp", "dest_port": 22, "src_port": 45302, "severity": "high", "vendor_product": "Cowrie", "sensor": "5e7031cf-b74d-22f9-57e0-254166752457", "src_ip": "16.10.10.10", "command": "whoami", "signature": "command attempted on cowrie honeypot", "ssh_version": "'SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4'", "type": "cowrie.sessions", "dest_ip": "16.10.10.11"} -->
+
+<decoder name="cowrie">
+ <prematch>cowrie.sessions</prematch>
+</decoder>
+
+<decoder name="cowrie-attempt">
+ <parent>cowrie</parent>
+ <prematch>"SSH login attempted</prematch>
+ <regex>^{\pdirection\p: \p\S+\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p(\S+)\p, \pssh_username\p: \p(\S+)\p, \papp\p: \pcowrie\p, \ptransport\p: \p\S+\p, \pdest_port\p: (\d+), \psrc_port\p: (\d+), \pseverity\p: \p\S+\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d+\p, \pvendor_product\p: \pCowrie\p, \psensor\p: \S+, \psrc_ip\p: "(\S+)", \pssh_password\p: \p\S+\p, \psignature\p: \p(\.+)\p, \pssh_version\p: \.+, \ptype\p: \pcowrie.sessions\p, \pdest_ip\p: "(\S+)"}</regex>
+ <order>protocol, extra_data, user, dstport, srcport, srcip, action, dstip</order>
+</decoder>
+
+<decoder name="cowrie-session">
+ <parent>cowrie</parent>
+ <prematch>"SSH session on cowrie honeypot</prematch>
+ <regex>^{\pdirection\p: \p\S+\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p(\S+)\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d+\p, \pvendor_product\p: \pCowrie\p, \ptype\p: \pcowrie.sessions\p, \papp\p: \pcowrie\p, \psrc_ip\p: "(\S+)", \pdest_port\p: (\d+), \psignature\p: \p(\.+)\p, \pssh_version\p: \.+, \psrc_port\p: (\d+), \pdest_ip\p: "(\S+)", \psensor\p: \S+, \ptransport\p: \p\S+\p, \pseverity\p: \p\S+\p}</regex>
+ <order>protocol, extra_data, srcip, dstport, action, srcport, dstip</order>
+</decoder>
+
+<decoder name="cowrie-command">
+ <parent>cowrie</parent>
+ <prematch>"command attempted on cowrie honeypot</prematch>
+ <regex>^{\pdirection\p: \p\S+\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p(\S+)\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d+\p, \papp\p: \pcowrie\p, \ptransport\p: \p\S+\p, \pdest_port\p: (\d+), \psrc_port\p: (\d+), \pseverity\p: \p\S+\p, \pvendor_product\p: \pCowrie\p, \psensor\p: \S+, \psrc_ip\p: "(\S+)", \pcommand\p: \p\S+\p, \psignature\p: \p(\.+)\p, \pssh_version\p: \.+, \ptype\p: \pcowrie.sessions\p, \pdest_ip\p: "(\S+)"}</regex>
+ <order>protocol, extra_data, dstport, srcport, srcip, action, dstip</order>
+</decoder>
+