X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;f=etc%2Fdecoder.xml;h=1d73df8bdbacc766558eaa33661e6c65b3b126c7;hb=HEAD;hp=c809108565f180d0b87c71b69efa27a7b48bfea1;hpb=914feba5d54f979cd5d7e69c349c3d01f630042a;p=ossec-hids.git

diff --git a/etc/decoder.xml b/etc/decoder.xml
old mode 100755
new mode 100644
index c809108..1d73df8
--- a/etc/decoder.xml
+++ b/etc/decoder.xml
@@ -1,9 +1,9 @@
-<!-- @(#) $Id: decoder.xml,v 1.162 2009/11/09 20:32:29 dcid Exp $
+<!-- @(#) $Id: decoder.xml,v 1.166 2010/06/15 12:52:01 dcid Exp $
   -  OSSEC log decoder.
   -  Author: Daniel B. Cid
   -  License: http://www.ossec.net/en/licensing.html
   -->
-        
+
 
 <!--
    - Allowed fields:
@@ -16,7 +16,7 @@
    - srcport  - source port
    - dstport  - destination port
    - protocol - protocol
-   - id       - event id 
+   - id       - event id
    - url      - url of the event
    - action   - event action (deny, drop, accept, etc)
    - status   - event status (success, failure, etc)
@@ -44,6 +44,7 @@
   - Nov 11 22:46:29 localhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=1.2.3.4
   - Sep 28 15:28:58 server login: pam_unix(login:session): session opened for user carl by LOGIN(uid=0)
   - Sep 28 15:35:18 server sshd[123]: pam_unix(sshd:session): session opened for user carl by (uid=0)
+  - Mar 29 00:42:09 server saslauthd[1230]: pam_succeed_if(smtp:auth): error retrieving information about user demo
   -->
 <decoder name="pam">
   <program_name>(pam_unix)$</program_name>
@@ -51,7 +52,7 @@
 
 <decoder name="pam">
   <program_name></program_name>
-  <prematch>^pam_unix|^\(pam_unix\)</prematch>
+  <prematch>^pam_unix|^\(pam_unix\)|^pam_succeed_if</prematch>
 </decoder>
 
 <decoder name="pam-user">
@@ -59,7 +60,15 @@
   <prematch>^session \w+ </prematch>
   <regex offset="after_prematch">^for user (\S+)</regex>
   <order>user</order>
-</decoder>  
+</decoder>
+
+<!--XXXX<decoder name="pam-user2">
+  <parent>pam</parent>
+  <prematch>^session \S+ </prematch>
+  <regex>for user (\S+)</regex>
+  <order>user</order>
+</decoder>
+-->
 
 <decoder name="pam-host-user">
   <parent>pam</parent>
@@ -68,6 +77,19 @@
   <order>srcip, user</order>
 </decoder>
 
+<decoder name="pam-ruser">
+  <parent>pam</parent>
+  <prematch> ruser</prematch>
+  <regex offset="after_prematch">^=(\S+) </regex>
+  <order>user</order>
+</decoder>
+
+<decoder name="pam-ruser">
+  <parent>pam</parent>
+  <regex> rhost=(\S+)</regex>
+  <order>srcip</order>
+</decoder>
+
 <decoder name="pam-host">
   <parent>pam</parent>
   <prematch> rhost</prematch>
@@ -76,7 +98,6 @@
 </decoder>
 
 
-  
 <!-- SSH decoder.
   -  Will extract username and srcip from the logs.
   -  Only add to the FTS if the login was successful
@@ -91,9 +112,9 @@
   -  sshd[12914]: Failed password for invalid user lala6 from ...
   -  sshd[8267]: Failed password for illegal user test from 62.67.45.4 port 39141 ssh2
   -  sshd[11259]: Invalid user abc from 127.0.0.1
-  -  "" Failed keyboard-interactive for root from 192.1.1.1 port 1066 ssh2    
+  -  "" Failed keyboard-interactive for root from 192.1.1.1 port 1066 ssh2
   -  sshd[23857]: [ID 702911 auth.notice] User xxx, coming from zzzz,
-  -  authenticated. 
+  -  authenticated.
   -  sshd[23578]: reverse mapping checking getaddrinfo for pib4.catv-bauer.at failed - POSSIBLE BREAKIN ATTEMPT!
   -  sshd[61834]: reverse mapping checking getaddrinfo for sv.tvcm.ch
   -  failed - POSSIBLE BREAKIN ATTEMPT!
@@ -103,6 +124,26 @@
   -  Apr 23 07:03:53 machinename sshd[29961]: User root from 12.3.4.5
   not allowed because not listed in AllowUsers
   -  sshd[9815]: scanned from 127.0.0.1 with SSH-1.99-AKASSH_Version_Mapper1.  Don't panic.
+  -  Sep  4 23:58:33 junction sshd[9351]: fatal: Write failed: Broken pipe
+  -  Sep 18 14:58:47 ix sshd[11816]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
+  -  Sep 23 10:32:25 server sshd[25209]: pam_ldap: error trying to bind as user "uid=user123,ou=People,dc=domain,dc=com" (Invalid credentials)
+  -  Aug 10 08:38:40 junction sshd[20013]: error: connect_to 192.168.179 port 8080: failed
+  -  Jun  9 00:00:01 ix sshd[9815]: scanned from 127.0.0.1 with SSH-1.99-AKASSH_Version_Mapper1.  Don't panic.
+  -  Jan 26 11:57:26 ix sshd[14879]: error: connect to ix.example.com port 7777 failed: Connection refused
+  -  Oct  8 10:07:27 y sshd[7644]: debug1: attempt 2 failures 2
+  -  Oct  8 08:58:37 y sshd[6956]: fatal: PAM: pam_setcred(): Authentication service cannot retrieve user credentials
+  -  Oct  8 08:48:33 y sshd[6856]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
+  -  Oct  8 11:18:26 172.16.51.132 sshd[7618]: error: PAM: Module is unknown for ddp from 172.16.51.1
+  -  Jun 19 20:56:00 tiny sshd[11605]: fatal: Write failed: Host is down
+  -  Jun 11 06:32:17 gorilla sshd[28293]: fatal: buffer_get_bignum2: buffer error
+  -  Jun 11 06:32:17 gorilla sshd[28293]: error: buffer_get_bignum2_ret: negative numbers not supported
+  -  Apr 14 19:28:21 gorilla sshd[31274]: Connection closed by 192.168.1.33
+  -  Jun 22 12:01:13 junction sshd[11283]: Received disconnect from 212.14.228.46: 11: Bye Bye
+  -  Nov  9 07:40:25 ginaz sshd[5973]: error: setsockopt SO_KEEPALIVE: Connection reset by peer
+  -  Nov  2 12:08:27 192.168.17.7 sshd[9665]: fatal: Cannot bind any address.
+  -  Nov  2 12:11:40 192.168.17.7 sshd[9814]: pam_loginuid(sshd:session): set_loginuid failed opening loginuid
+  -  Nov  6 09:53:38 hagal sshd[697]: error: accept: Software caused connection abort
+  -  Nov  9 11:36:55 ecaz sshd[26967]: pam_succeed_if(sshd:auth): error retrieving information about user _z9xxbBW
   -->
 
 <decoder name="sshd">
@@ -132,6 +173,13 @@
   <fts>name, user, location</fts>
 </decoder>
 
+<decoder name="ssh-kbd">
+  <parent>sshd</parent>
+  <prematch offset="after_parent">^Postponed keyboard-interactive|^Failed keyboard-interactive</prematch>
+  <regex offset="after_prematch"> user (\S+) from (\S+) port (\d+) </regex>
+  <order>user, srcip, srcport</order>
+</decoder>
+
 <decoder name="ssh-invfailed">
   <parent>sshd</parent>
   <prematch>^Failed \S+ for invalid user|^Failed \S+ for illegal user</prematch>
@@ -142,7 +190,7 @@
 <decoder name="ssh-failed">
   <parent>sshd</parent>
   <prematch>^Failed \S+ </prematch>
-  <regex offset="after_prematch">^for (\S+) from (\S+) port \d+ \w+$</regex>
+  <regex offset="after_prematch">^for (\S+) from (\S+) port \d+</regex>
   <order>user, srcip</order>
 </decoder>
 
@@ -153,17 +201,24 @@
   <order>user, srcip</order>
 </decoder>
 
+<decoder name="ssh-pam-error">
+  <parent>sshd</parent>
+  <prematch>^error: PAM: </prematch>
+  <regex offset="after_prematch">user (\S+) from (\S+)</regex>
+  <order>user, srcip</order>
+</decoder>
+
 <decoder name="ssh-reverse-mapping">
   <parent>sshd</parent>
   <prematch>^reverse mapping checking </prematch>
-  <regex offset="after_prematch">^\w+ for (\S+) </regex>
+  <regex offset="after_prematch">^\w+ for \S+ [(\S+)] |^\w+ for (\S+) </regex>
   <order>srcip</order>
-</decoder>       
+</decoder>
 
 <decoder name="ssh-invalid-user">
   <parent>sshd</parent>
   <prematch>^Invalid user|^Illegal user</prematch>
-  <regex offset="after_prematch"> from (\S+)$</regex>
+  <regex offset="after_prematch"> from (\S+)</regex>
   <order>srcip</order>
 </decoder>
 
@@ -174,20 +229,176 @@
   <order>srcip</order>
 </decoder>
 
+<decoder name="ssh-received">
+  <parent>sshd</parent>
+  <prematch>^Received disconnect </prematch>
+  <regex offset="after_prematch">^from (\S+): |^from (\S+) </regex>
+  <order>srcip</order>
+</decoder>
+
+<decoder name="ssh-disconnected">
+  <parent>sshd</parent>
+  <prematch>^Disconnected from invalid user</prematch>
+  <regex offset="after_prematch">\S+ (\S+) </regex>
+  <order>srcip</order>
+</decoder>
+
+<decoder name="ssh-connection">
+  <parent>sshd</parent>
+  <prematch>^Connection closed by </prematch>
+  <regex offset="after_prematch">user (\S+) (\S+) </regex>
+  <order>user, srcip</order>
+</decoder>
+
+<decoder name="ssh-negotiate">
+  <parent>sshd</parent>
+  <prematch>^Unable to negotiate with </prematch>
+  <regex offset="after_prematch">^(\S+) port (\d+)</regex>
+  <order>srcip, srcport</order>
+</decoder>
+
+<decoder name="ssh-protocol">
+  <parent>sshd</parent>
+  <prematch>^Protocol major versions differ for </prematch>
+  <regex offset="after_prematch">^(\S+)</regex>
+  <order>srcip</order>
+</decoder>
+
+<!--
+Jul 12 16:10:26 cloud sshd[14486]: Bad protocol version identification 'GET http://m.search.yahoo.com/ HTTP/1.1' from 112.98.69.104 port 3533
+Jul 12 16:10:41 cloud sshd[14530]: Bad protocol version identification 'GET http://check2.zennolab.com/proxy.php HTTP/1.1' from 46.182.129.46 port 60866
+Jul 12 16:11:31 cloud sshd[14582]: Bad protocol version identification 'GET http://www.msftncsi.com/ncsi.txt HTTP/1.1' from 88.244.115.169 port 62240
+Jul 12 16:12:15 cloud sshd[14662]: Bad protocol version identification 'GET http://m.search.yahoo.com/ HTTP/1.1' from 118.76.116.187 port 54513
+e.g. OpenSSH > 7.2:
+Sep  4 21:13:05 example sshd[12853]: Did not receive identification string from 192.168.0.1 port 33021
+e.g. OpenSSH <= 7.2:
+Sep  4 21:14:25 example sshd[18368]: Did not receive identification string from 192.168.0.1
+-->
+
 <decoder name="ssh-scan2">
   <parent>sshd</parent>
-  <prematch>^Did not receive identification|^Bad protocol version</prematch>
-  <regex offset="after_prematch"> from (\S+)$</regex>
+  <prematch>^Did not receive identification |^Bad protocol version </prematch>
+  <regex offset="after_prematch"> from (\S+)$| from (\S+) port (\d+)$</regex>
+  <order>srcip,srcport</order>
+</decoder>
+
+<decoder name="ssh-osx-refuse">
+  <parent>sshd</parent>
+  <prematch>^refused connect </prematch>
+  <regex offset="after_prematch">^from (\S+)$|^from \S+ \((\S+\w+)\)$|^from \S+ \((\S+::)\)$</regex>
+  <order>srcip</order>
+</decoder>
+
+<decoder name="ssh-closed">
+  <parent>sshd</parent>
+  <prematch>^Connection closed </prematch>
+  <regex offset="after_prematch">^by (\S+)$</regex>
+  <order>srcip</order>
+</decoder>
+
+<decoder name="ssh-disconnect">
+  <parent>sshd</parent>
+  <prematch>^Received disconnect </prematch>
+  <regex offset="after_prematch">^from (\S+):</regex>
+  <order>srcip</order>
+</decoder>
+
+<!--XXX
+<decoder name="ssh-pam">
+  <parent>sshd</parent>
+  <prematch>PAM: Module</prematch>
+  <regex>for (\S+) from (\S+)$</regex>
+  <order>user, srcip</order>
+</decoder>
+
+<decoder name="ssh-connect-to">
+  <parent>sshd</parent>
+  <prematch>connect_to</prematch>
+  <regex>connect_to: (\S+) port (\d+):</regex>
+  <order>dstip,dstport</order>
+</decoder>
+-->
+
+<decoder name="sshd-ldap">
+  <parent>sshd</parent>
+  <prematch>^pam_ldap: </prematch>
+  <regex>user "uid=(\S+),ou=\w+,dc=\w+,dc=\w+"</regex>
+  <order>user</order>
+</decoder>
+
+<decoder name="sshd-negotiate">
+  <parent>sshd</parent>
+  <prematch offset="after_parent">fatal: Unable to negotiate with </prematch>
+  <regex offset="after_prematch">^(\S+) port (\d+): |^(\S+): </regex>
+  <order>srcip, srcport</order>
+</decoder>
+
+<decoder name="sshd-pam-host-user">
+  <parent>sshd</parent>
+  <prematch>rhost=\S+\s+user=\S+</prematch>
+  <regex>rhost=(\S+)\s+user=(\S+)</regex>
+  <order>srcip, user</order>
+</decoder>
+
+<!--
+<decoder name="sshd-invalid">
+  <parent>sshd</parent>
+  <prematch>^input_user_auth_request: </prematch>
+  <regex offset="after_prematch"> user (\S+)</regex>
+  <order>user</order>
+</decoder>
+-->
+
+<decoder name="sshd-exceed">
+  <parent>sshd</parent>
+  <prematch> exceeded for </prematch>
+  <regex offset="after_prematch">(\S+) from (\S+) port (\d+) </regex>
+  <order>user, srcip, srcport</order>
+</decoder>
+
+
+<!-- Dropbear rules -->
+<decoder name="dropbear">
+  <program_name>^dropbear</program_name>
+</decoder>
+
+<!--
+Jan  8 16:39:33 tp.lan dropbear[14824]: Bad password attempt for 'root' from 193.219.28.149:48629
+-->
+
+<decoder name="dropbear-bad-password">
+  <parent>dropbear</parent>
+  <prematch>password</prematch>
+  <regex offset="after_prematch">for '(\S+)' from (\S+):\d+$</regex>
+  <order>dstuser, srcip</order>
+</decoder>
+
+<!--
+Jan  8 19:54:12 tp.lan dropbear[15197]: Login attempt for nonexistent user from 182.72.89.122:4328
+-->
+
+<decoder name="dropbear-nonexist">
+  <parent>dropbear</parent>
+  <prematch>nonexistent</prematch>
+  <regex offset="after_prematch">from (\S+):\d+$</regex>
   <order>srcip</order>
 </decoder>
 
+<!--
+Jan  8 19:32:41 tp.lan dropbear[15165]: Pubkey auth succeeded for 'root' with key md5 78:d6:41:ca:78:37:80:88:1d:15:0a:68:91:d1:4e:ad from 10.10.10.241:51737
+-->
 
+<decoder name="dropbear-from">
+  <parent>dropbear</parent>
+  <regex>(\S+) for '(\S+)' with key \S+ (\S+) from (\S+):\d+$</regex>
+  <order>status,dstuser,extra_data,srcip</order>
+</decoder>
 
 <!--
  - Telnet decoder
  - Will extract the srcip
  - Examples:
- - May 31 12:33:44 queen telnetd[9876]: warning: can't verify hostname: 
+ - May 31 12:33:44 queen telnetd[9876]: warning: can't verify hostname:
    gethostbyname(131.1.satis-tl.ru) failed
  - May 29 21:12:18 queen telnetd[6474]: refused connect from 81.215.42.27
  - Jun  1 23:02:07 queen telnetd[62948]: connect from external.example.net
@@ -201,19 +412,55 @@
 
 <decoder name="telnetd-ip">
   <parent>telnetd</parent>
-  <regex>from (\d+.\d+.\d+.\d+)$</regex>
+  <regex>from (\S+)$</regex>
+  <order>srcip</order>
+</decoder>
+
+
+
+<!--
+ - rshd decoder
+ - Example message:
+ - Dec 17 10:49:23 hostname rshd[347339]: Connection from 10.217.223.31 on illegal port
+ -->
+<decoder name="rshd">
+  <program_name>^rshd$</program_name>
+</decoder>
+
+<decoder name="rshd-illegal-connection">
+  <parent>rshd</parent>
+  <regex>^Connection from (\S+) on illegal port$</regex>
   <order>srcip</order>
 </decoder>
 
 
 
 <!--
+ - cimserver decoder
+ - Example messages:
+ - Dec 18 18:06:28 hostname cimserver[18575]: PGS17200: Authentication failed for user jones_b.
+ - Dec 18 18:06:29 hostname cimserver[18575]: PGS17200: Authentication failed for user domain\jones_b.
+ -->
+<decoder name="cimserver">
+  <program_name>^cimserver$</program_name>
+</decoder>
+
+<decoder name="cimserver-failed-authentication">
+  <parent>cimserver</parent>
+  <prematch>^\w+: Authentication failed for user </prematch>
+  <regex offset="after_prematch">^(\S+).$</regex>
+  <order>user</order>
+</decoder>
+
+
+
+<!--
  - Samba decoder.
- - Will extraxt the username/srcip
+ - Will extract the username/srcip
  - Examples:
  - smbd[832]: Denied connection from (192.168.3.23)
  - smbd[832]: Connection denied from 0.0.0.0
- - smbd[17535]: Permission denied\-\- user not allowed to delete, 
+ - smbd[17535]: Permission denied\-\- user not allowed to delete,
    pause, or resume print job. User name: ahmet. Printer name: prnq1.
   -->
 
@@ -230,10 +477,27 @@
 
 <decoder name="smbd-ip">
   <parent>smbd</parent>
-  <regex> from \((\d+.\d+.\d+.\d+)\)</regex>
+  <regex> from \((\S+)\)</regex>
+  <order>srcip</order>
+</decoder>
+
+<decoder name="smbd-from">
+  <parent>smbd</parent>
+  <prematch> from (\S+)$</prematch>
+  <regex> from (\S+)$</regex>
+  <order>srcip</order>
+</decoder>
+
+<decoder name="smbd-client">
+  <parent>smbd</parent>
+  <prematch>to client \S+.</prematch>
+  <regex>to client (\S+). </regex>
   <order>srcip</order>
 </decoder>
 
+<decoder name="nmbd">
+  <program_name>^nmbd</program_name>
+</decoder>
 
 
 <!-- Sudo decoder.
@@ -243,15 +507,16 @@
   -  Apr 27 15:25:08 niban sudo:     dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast
   -  Apr 14 10:59:01 enigma sudo:     dcid : TTY=ttyp3 ; PWD=/home/dcid/ossec-hids.0.1a/src/analysisd ; USER=root ; COMMAND=/bin/cp -pr ../../bin/addagent ../../bin/osaudit-logaudit ../../bin/ossec-execd ../../bin/ossec-logcollector ../../bin/ossec-maild ../../bin/ossec-remoted /var/ossec/bin
   -  Apr 19 14:52:02 enigma sudo:     dcid : TTY=ttyp3 ; PWD=/var/www/alex ; USER=root ; COMMAND=/sbin/chown dcid.dcid .
+  -  Dec 30 19:36:11 rheltest sudo: cplummer : TTY=pts/2 ; PWD=/home/cplummer1 ; USER=root ; TSID=0000UM ; COMMAND=/bin/bash
   -->
 <decoder name="sudo">
   <program_name>^sudo</program_name>
-  <regex>^\s+(\S+)\s:</regex>
-  <order>user</order>
-  <fts>name,user,location</fts>
+  <regex>^\s*(\S+)\s:\sTTY=\S+\s;\sPWD=(\S+)\s;\sUSER=(\S+)\s;\sCOMMAND=(\.+)$|</regex>
+  <regex>^\s*(\S+)\s:\sTTY=\S+\s;\sPWD=(\S+)\s;\sUSER=(\S+)\s;\sTSID=\S+\s;\sCOMMAND=(\.+)$</regex>
+  <order>dstuser,url,srcuser,status</order>
+  <fts>name,dstuser,location</fts>
   <ftscomment>First time user executed the sudo command</ftscomment>
-</decoder>  
-
+</decoder>
 
 <!-- Su decoder.
   -  Will extract the username.
@@ -272,20 +537,18 @@
 </decoder>
 
 <decoder name="su-detail">
-  <parent>su</parent>  
+  <parent>su</parent>
   <prematch>^'su </prematch>
   <regex>^'su (\S+)' \S+ for (\S+) on \S+$</regex>
   <order>dstuser, srcuser</order>
   <fts>name, srcuser, location</fts>
 </decoder>
 
-<decoder name="su-detail2">
-  <parent>su</parent>  
-  <regex>^BAD SU (\S+) to (\S+) on|</regex>
-  <regex>^failed: \S+ changing from (\S+) to (\S+)|</regex>
-  <regex>^\S \S+ (\S+)\p(\S+)$|^(\S+) to (\S+) on </regex>
-  <order>srcuser, dstuser</order>
-  <fts>name, srcuser, location</fts>
+<decoder name="su-ldap">
+  <parent>su</parent>
+  <prematch>pam_ldap</prematch>
+  <regex>user "uid=(\S+),</regex>
+  <order>user</order>
 </decoder>
 
 <decoder name="su">
@@ -295,6 +558,23 @@
   <fts>name, srcuser, location</fts>
 </decoder>
 
+<decoder name="su-failed">
+  <parent>su</parent>
+  <prematch>^FAILED SU </prematch>
+  <regex offset="after_prematch">^\(to (\S+) (\S+) on</regex>
+  <order>dstuser, srcuser</order>
+</decoder>
+
+<decoder name="su-detail2">
+  <parent>su</parent>
+  <prematch> </prematch>
+  <regex>^BAD SU (\S+) to (\S+) on|</regex>
+  <regex>^failed: \S+ changing from (\S+) to (\S+)|</regex>
+  <regex>^\S \S+ (\S+)\p(\S+)$|^(\S+) to (\S+) on </regex>
+  <order>srcuser, dstuser</order>
+  <fts>name, srcuser, location</fts>
+</decoder>
+
 
 
 <!-- ProFTPD decoder.
@@ -305,13 +585,14 @@
   - proftpd[30362] xx.yy.zz (aa.bb.cc[aa.bb.vv.dd]): USER backup: Login successful.
   - proftpd[2344]: refused connect from 192.168.1.2 (192.168.1.2)
   - proftpd[15181]: valhalla (crawl-66-249-66-80.googlebot.com[66.249.66.80]) - Connection from crawl-66-249-66-80.googlebot.com [66.249.66.80] denied.
+  - proftpd[26169] server.example.net: Fatal: unable to open incoming connection: Der Socket ist nicht verbunden
   -->
-<decoder name="proftpd">  
+<decoder name="proftpd">
   <program_name>^proftpd</program_name>
 </decoder>
 
 <decoder name="proftpd-success">
-  <parent>proftpd</parent>  
+  <parent>proftpd</parent>
   <prematch>: Login successful</prematch>
   <regex>^\S+ \(\S+[(\S+)]\)\s*\S \w+ (\S+): </regex>
   <regex>Login successful</regex>
@@ -353,7 +634,20 @@
   <parent>pure-ftpd</parent>
   <regex>^\((\S+)@(\S+)\) [</regex>
   <order>user,srcip</order>
-</decoder>  
+</decoder>
+
+<!-- Pure-FTPd transfer log decoder
+  - Examples from ossec-list:
+  - example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT /ftpdrive/user1/FinalBackup.zip" 200 25268220
+  - example.com - user1 [11/Mar/2013:12:24:57 -0000] "GET /ftpdrive/user1/FinalBackup.zip" 200 25268220
+  -->
+
+<decoder name="pure-transfer">
+  <prematch>^\S+ - \S+ [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d \S\d\d\d\d] "\w+ \S+" </prematch>
+  <regex>^(\S+) - (\S+) [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] "(\S+) (\.+) (\d+) \d+$</regex>
+  <order>extra_data,dstuser,action,url,status</order>
+</decoder>
+
 
 
 
@@ -364,24 +658,65 @@
   - Sun Jun  4 22:08:39 2006 [pid 21611] [dcid] OK LOGIN: Client "192.168.2.10"
   - Sun Jun  4 22:09:22 2006 [pid 21622] CONNECT: Client "192.168.2.10"
   - Sun Jun  4 22:09:24 2006 [pid 21621] [lalal] FAIL LOGIN: Client "192.168.2.10"
-  - Sat Jun  3 07:51:42 2006 [pid 25073] [Administrator] FAIL LOGIN: Client
-  "211.100.27.101"
+  - Sat Jun  3 07:51:42 2006 [pid 25073] [Administrator] FAIL LOGIN: Client "211.100.27.101"
   - Sun Aug 27 16:28:20 2006 [pid 13962] [xx] OK UPLOAD: Client "1.2.3.4", "/a.php", 8338 bytes, 18.77Kbyte/sec
   - Jul 13 12:31:20 www vsftpd: Sun Jul 13 10:31:20 2008 [pid 27528] [anonymous] FAIL LOGIN: Client "84.140.234.76"
-  -->
+  - Sun Aug 16 15:48:02 2015 [pid 4832] [ftpuser] OK DELETE: Client "172.28.5.129", "/index.php"
+  - Sun Aug 16 16:26:06 2015 [pid 4976] [ftpuser] OK CHMOD: Client "172.28.5.129", "/index.php 777"
+  - Sun Aug 16 16:26:21 2015 [pid 4976] [ftpuser] OK RENAME: Client "172.28.5.129", "/index.php /4444index.php"
+  
 <decoder name="vsftpd">
   <prematch>^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+] </prematch>
-  <regex offset="after_prematch">Client "(\d+.\d+.\d+.\d+)"$</regex>
+  <regex offset="after_prematch">Client "(\S+)"$</regex>
   <order>srcip</order>
 </decoder>
 
 <decoder name="vsftpd">
   <program_name>^vsftpd</program_name>
   <prematch>^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+] </prematch>
-  <regex offset="after_prematch">Client "(\d+.\d+.\d+.\d+)"$</regex>
+  <regex offset="after_prematch">Client "(\S+)"$</regex>
   <order>srcip</order>
 </decoder>
+-->
+
+<!-- #####################################################
+     Add by Omar MEZRAG - 0xFFFFFF
+     ##################################################### -->
+
+<decoder name="vsftpd">
+  <prematch>^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+] </prematch>
+</decoder>
+
+<decoder name="vsftpd">
+  <program_name>^vsftpd</program_name>
+  <prematch>^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+] </prematch>
+</decoder>
+
+<decoder name="vsftpd_login">
+  <parent>vsftpd</parent>
+  <prematch offset="after_parent"> LOGIN:</prematch>
+  <regex offset="after_parent">[(\S+)] (\S+ LOGIN): Client "(\S+\w)"$</regex>
+  <order>user,status,srcip</order>
+</decoder>
+
+<decoder name="vsftpd_connect">
+  <parent>vsftpd</parent>
+  <prematch offset="after_parent">^CONNECT:</prematch>
+  <regex offset="after_parent">(CONNECT): Client "(\S+\w+)"$</regex>
+  <order>action,srcip</order>
+</decoder>
 
+<decoder name="vsftpd_cmd">
+  <parent>vsftpd</parent>
+  <regex offset="after_parent">[(\S+)] (OK \S+): Client "(\S+)", "(\.+)"\.*</regex>
+  <order>user,status,srcip,url</order>
+</decoder>
+
+<decoder name="vsftpd_default">
+  <parent>vsftpd</parent>
+  <regex offset="after_parent">Client "(\S+\w)"$</regex>
+  <order>srcip</order>
+</decoder>
 
 
 <!-- FTPD decoder - Solaris, MacOS and Wu-ftpd).
@@ -389,6 +724,7 @@
   - ftpd[811166]: refused connect from 88.225.42.182
   - in.ftpd[18561]: [ID 484914 daemon.notice] gethostbyaddr: nameservices.net. != 216.117.134.168
   - ftpd[31918]: FTPD: EXPORT file local , remote
+  - Dec 21 12:21:20 hostname ftpd[323115]: login jones_b from client.example.org failed.
   -->
 <decoder name="ftpd">
   <program_name>^ftpd|^in.ftpd</program_name>
@@ -398,23 +734,31 @@
   <parent>ftpd</parent>
   <prematch>^Failed authentication from: \S+ |</prematch>
   <prematch>^repeated login failures from </prematch>
-  <regex offset="after_prematch">[(\d+.\d+.\d+.\d+)]$</regex>
+  <!--<regex offset="after_prematch">(\S+)</regex>-->
+  <regex offset="after_prematch">^\S+ [(\S+)]$|^(\S+)</regex>
   <order>srcip</order>
 </decoder>
 
 <decoder name="ftpd-refused">
   <parent>ftpd</parent>
   <prematch>^FTP LOGIN REFUSED </prematch>
-  <regex offset="after_prematch">[(\d+.\d+.\d+.\d+)]$</regex>
+  <regex offset="after_prematch">[(\S+)]$</regex>
   <order>srcip</order>
 </decoder>
 
 <decoder name="ftpd-ip">
   <parent>ftpd</parent>
-  <regex>from (\d+.\d+.\d+.\d+)$</regex>
+  <regex>from (\S+)$</regex>
   <order>srcip</order>
 </decoder>
 
+<decoder name="ftpd-tru64">
+  <parent>ftpd</parent>
+  <prematch>^login \S+ from \S+ failed.</prematch>
+  <regex>^login (\S+) from (\S+) failed.$</regex>
+  <order>user, srcip</order>
+</decoder>
+
 
 
 <!-- Arpwatch decoder.
@@ -423,6 +767,8 @@
   - arpwatch: new station 192.168.1.103 0:11:43:5e:5d:80 eth0
   - arpwatch: bogon 172.16.150.149 0:2:b3:d6:e5:68 eth0
   - arpwatch: new station 192.168.2.10 0:c0:4f:78:32:be
+  - arpwatch: pcap open re0: /dev/bpf0: Permission denied
+  - arpwatch: reused old ethernet address 192.168.17.248 0:e:3b:a:cb:67 (0:1e:8c:72:b0:d0)
   -->
 <decoder name="arpwatch">
   <program_name>^arpwatch</program_name>
@@ -431,7 +777,7 @@
 <decoder name="arpwatch-new">
   <parent>arpwatch</parent>
   <prematch>^new station |^bogon </prematch>
-  <regex offset="after_prematch">^(\d+.\d+.\d+.\d+) (\S+)</regex>
+  <regex offset="after_prematch">^(\S+) (\S+)</regex>
   <order>srcip, extra_data</order>
   <fts>name, srcip, extra_data</fts>
 </decoder>
@@ -460,7 +806,7 @@
   <prematch>^[\d\d\d\d-\d\d-\d\d \S+ \w+] </prematch>
   <regex offset="after_prematch">^\S+ (\w+): </regex>
   <order>status</order>
-</decoder>  
+</decoder>
 
 
 
@@ -471,11 +817,11 @@
   - imapd[21040]: Login failed user=root domain=(null) auth=root host=host29-141.poo
     l8249.interbusiness.it [82.49.141.29]
   - imapd[27113]: Authenticated user=badyy host=a.resenet.com.br [1.2.3.4]
-  - imapd[27113]: Logout user=badyy host=a.resenet.com.br [1.2.3.4]  
+  - imapd[27113]: Logout user=badyy host=a.resenet.com.br [1.2.3.4]
   -->
 <decoder name="imapd">
   <program_name>^imapd</program_name>
-  <regex offset="after_prematch">user=(\S+) \.+ [(\d+.\d+.\d+.\d+)]$</regex>    
+  <regex offset="after_prematch">user=(\S+) \.+ [(\S+)]$</regex>    
   <order>user,srcip</order>
 </decoder>
 
@@ -483,10 +829,10 @@
 
 <!-- Vpopmail decoder. (by Ceg Ryan <cegryan ( at ) gmail.com>)
   - Examples:
-  - vpopmail[32485]: vchkpw-pop3: password fail abc@xxx.com:x.x.x.x
-  - vpopmail[32485]: vchkpw-2110 password fail abc@xxx.com:x.x.x.x
+  - vpopmail[32485]: vchkpw-pop3: password fail abc@example.com:x.x.x.x
+  - vpopmail[32485]: vchkpw-2110 password fail abc@example.com:x.x.x.x
   -                  vchkpw-pop3: password fail (pass: 'test') user@my_domain:1.2.3.4
-  - vpopmail[2100]: vchkpw-pop3: vpopmail user not found abc@xxx.com:x.x.x.x
+  - vpopmail[2100]: vchkpw-pop3: vpopmail user not found abc@example.com:x.x.x.x
   - vpopmail[4162]: vchkpw-pop3: vpopmail user not found support@:69.3.64.3
   -->
 <decoder name="vpopmail">
@@ -496,28 +842,28 @@
 <decoder name="vpopmail-fail">
   <parent>vpopmail</parent>
   <prematch>^vchkpw-\S+: password fail</prematch>
-  <regex offset="after_prematch"> (\S+)@\S+:(\d+.\d+.\d+.\d+)$</regex>
+  <regex offset="after_prematch"> (\S+)@\S+:(\S+)$</regex>
   <order>user, srcip</order>
 </decoder>
 
 <decoder name="vpopmail-notfound">
   <parent>vpopmail</parent>
   <prematch>^vchkpw-\S+: vpopmail user not </prematch>
-  <regex offset="after_prematch">^found (\S+):(\d+.\d+.\d+.\d+)$</regex>
+  <regex offset="after_prematch">^found (\S+):(\S+)$</regex>
   <order>user, srcip</order>
 </decoder>
 
 <decoder name="vpopmail-empty">
   <parent>vpopmail</parent>
   <prematch>^vchkpw-\S+: null password </prematch>
-  <regex offset="after_prematch">^given (\S+):(\d+.\d+.\d+.\d+)$</regex>
+  <regex offset="after_prematch">^given (\S+):(\S+)$</regex>
   <order>user, srcip</order>
 </decoder>
 
 <decoder name="vpopmail-success">
   <parent>vpopmail</parent>
   <prematch>^vchkpw-\S+: \(\S+\) login </prematch>
-  <regex offset="after_prematch">^success (\S+):(\d+.\d+.\d+.\d+)$</regex>
+  <regex offset="after_prematch">^success (\S+):(\S+)$</regex>
   <order>user, srcip</order>
 </decoder>
 
@@ -534,7 +880,7 @@
   <parent>vm-pop3d</parent>
   <prematch>^User '</prematch>
   <regex offset="after_prematch">^(\S+)' - \w+ auth, </regex>
-  <regex>from=(\d+.\d+.\d+.\d+)$</regex>
+  <regex>from=(\S+)$</regex>
   <order>user, srcip</order>
 </decoder>
 
@@ -549,19 +895,19 @@
   - Nov 24 18:18:28 gandalf pop3d: LOGIN FAILED, ip=[::ffff:1.2.3.4]
   -->
 <decoder name="courier">
-  <program_name>^pop3d|^courierpop3login|^imaplogin</program_name>
+  <program_name>^pop3d|^courierpop3login|^imaplogin|^courier-pop3|^courier-imap</program_name>
 </decoder>
 
 <decoder name="courier-login">
   <parent>courier</parent>
   <prematch>^LOGIN, </prematch>
-  <regex offset="after_prematch">^user=(\S+), ip=[(\S+\d)]$</regex>
+  <regex offset="after_prematch">^user=(\S+), ip=[(\S+)]$</regex>
   <order>user, srcip</order>
 </decoder>
 
 <decoder name="courier-generic">
   <parent>courier</parent>
-  <regex>, ip=[(\S+\d)]$</regex>
+  <regex>, ip=[(\S+)]$</regex>
   <order>srcip</order>
 </decoder>
 
@@ -577,12 +923,16 @@
   - dovecot: Jan 07 14:46:28 Warn: auth(default): userdb(username,::ffff:127.0.0.1): user not found from userdb
   - dovecot: Mar 13 15:25:07 Info: auth(default): pam(user@example.com,::ffff:1.2.3.4): pam_authenticate() failed: User not known to the underlying authentication module
   - dovecot: Mar 13 15:25:07 Info: auth(default): passwd-file(user@example.com,::ffff:1.2.3.4): unknown user
-  - Jan 11 03:45:09 hostname dovecot: auth-worker(default): sql(username,1.2.3.4): unknown user 
+  - Jan 11 03:45:09 hostname dovecot: auth-worker(default): sql(username,1.2.3.4): unknown user
   - Jan 11 03:42:09 hostname dovecot: auth(default): pam(user@example.com,1.2.3.4): pam_authenticate() failed: User not known to the underlying authentication module
   - Jul  4 17:30:51 hostname dovecot[2992]: pop3-login: Disconnected: rip=1.2.3.4, lip=1.2.3.5
   - dovecot: Jun 23 15:04:06 Info: IMAP(username): Disconnected: Logged out bytes=59/566
   - dovecot: May 31 09:43:57 Info: pop3-login: Aborted login (1 authentication attempts): user=<username>, method=PLAIN, rip=::ffff:1.2.3.4, lip=::ffff:1.2.3.5, secured
   - Jan 30 09:37:55 hostname dovecot: pop3-login: Aborted login: user=<username>, method=PLAIN, rip=::ffff:1.2.3.4, lip=::ffff:1.2.3.5
+  - Dec 19 17:40:57 ny dovecot: pop3-login: Disconnected (auth failed, 3 attempts in 51 secs): user=<thousands>, method=PLAIN, rip=109.201.200.201, lip=67.205.141.203, session=<tlMSaQZE/JttycjJ>
+  - Dec 19 17:30:39 ny dovecot: imap-login: Disconnected: Inactivity (auth failed, 7 attempts in 176 secs): user=<32>, method=PLAIN, rip=109.201.200.201, lip=67.205.141.203,session=<7QTLPAZEXrhtycjJ>
+  - Dec 19 17:38:54 ny dovecot: pop3-login: Disconnected: Inactivity during authentication (auth failed, 13 attempts in 179 secs): user=<thousands>, method=PLAIN, rip=109.201.200.201, lip=67.205.141.203, session=<feETWgZEzJltycjJ>
+  - Dec 19 17:20:08 ny dovecot: imap-login: Aborted login (auth failed, 2 attempts in 18 secs): user=<test>, method=PLAIN, rip=109.201.200.201, lip=67.205.141.203, session=<i8uMIAZEDrdtycjJ>
 -->
 
 <decoder name="dovecot">
@@ -592,24 +942,54 @@
 <decoder name="dovecot-success">
   <parent>dovecot</parent>
   <prematch offset="after_parent">^\w\w\w\w-login: Login: </prematch>
-  <regex offset="after_prematch">^user=\p(\S+)\p, method=\S+, rip=(\S+), </regex>
-  <order>user, srcip</order>
+  <regex offset="after_prematch">^user=\p(\S+)\p, method=\S+, rip=(\S+), lip=(\S+), mpid=\S+, (\S*)$</regex>
+  <order>user, srcip, dstip, protocol</order>
 </decoder>
 
 <decoder name="dovecot-aborted">
   <parent>dovecot</parent>
   <prematch offset="after_parent">^\w\w\w\w-login: Aborted login</prematch>
-  <regex offset="after_prematch"> user=\p\S+>, method=\w+, rip=(\S+), lip=\S+</regex>
-  <order>srcip</order>
+  <regex offset="after_prematch">: user=\p(\S+)\p, method=\S+, rip=(\S+), lip=(\S+), (\S*)$</regex>
+  <order>user, srcip, dstip, protocol</order>
+</decoder> 
+
+<decoder name="dovecot-fail">
+  <parent>dovecot</parent>
+  <prematch offset="after_parent">^auth\(default\)|auth-worker\(default\)</prematch>
+  <regex offset="after_prematch">^: \S+\((\S+),(\S+)\)</regex>
+  <order>user, srcip</order>
+</decoder>
+
+<decoder name="dovecot-authfailed">
+  <parent>dovecot</parent>
+  <prematch offset="after_parent">^\w\w\w\w-login:</prematch>
+  <regex offset="after_prematch">\(auth failed, \d+ attempts in \d+ secs\): user=\p(\S+)\p, method=\w+, rip=(\S+), lip=(\S+)</regex>
+  <order>user,srcip,dstip</order>
 </decoder>
 
 <decoder name="dovecot-disconnect">
   <parent>dovecot</parent>
   <prematch offset="after_parent">^\w\w\w\w-login: Disconnected: </prematch>
-  <regex offset="after_prematch">^rip=(\S+), </regex>
-  <order>srcip</order>
+  <regex offset="after_prematch">^rip=(\S+), lip=(\S+)</regex>
+  <order>srcip, dstip</order>
+</decoder>
+
+<decoder name="dovecot-info">
+  <program_name>^Info$|^Warn$</program_name>
+</decoder>
+
+<decoder name="imap-login-login">
+  <parent>dovecot-info</parent>
+  <prematch>imap-login</prematch>
+  <regex offset="after_parent">Login: user=(\S+), method=\.+, rip=(\S+), lip=(\S+) </regex>
+  <order>user, srcip, dstip</order>
 </decoder>
 
+<decoder name="dovecot-info-auth">
+  <parent>dovecot-info</parent>
+  <regex offset="after_parent">auth\(\.+\): \S+\((\S+),(\S+)\):</regex>
+  <order>user, srcip</order>
+</decoder>
 
 
 <!-- Named decoder.
@@ -617,31 +997,52 @@
   - Examples:
   -  valhalla named[7885]: client 192.168.1.231#1142: update 'hayaletgemi.edu/IN' denied
   - named[12637]: client 1.2.3.4#32769: query (cache) 'somedomain.com/MX/IN' denied
- -->           
+  -  Oct 22 10:12:33 junction named[31687]: /etc/blocked.slave:9892: syntax error near ';'
+  -  Oct 22 10:12:33 junction named[31687]: reloading configuration failed: unexpected token
+ -->
 <decoder name="named">
   <program_name>^named</program_name>
 </decoder>
 
+<decoder name="named-query">
+  <parent>named</parent>
+  <prematch>: query </prematch>
+  <regex>client (\S+)#\d+\s*\S*: </regex>
+  <order>srcip,url</order>
+</decoder>
+
+<decoder name="named-query">
+  <parent>named</parent>
+  <regex>query: (\S+) IN|query \S+ '(\S+)/</regex>
+  <order>url</order>
+</decoder>
+
 <decoder name="named_client">
-  <parent>named</parent>  
+  <parent>named</parent>
   <prematch>^client </prematch>
-  <regex offset="after_prematch">^(\d+.\d+.\d+.\d+)#</regex>
+  <regex offset="after_prematch">^(\S+)#</regex>
   <order>srcip</order>
 </decoder>
 
 <decoder name="named_from">
   <parent>named</parent>  
-  <regex offset="after_parent"> from [(\d+.\d+.\d+.\d+)]</regex>
+  <regex offset="after_parent"> from [(\S+)]</regex>
   <order>srcip</order>
 </decoder>
 
+<decoder name="named-master">
+  <parent>named</parent>
+  <prematch> for master</prematch>
+  <regex>for master (\S+):(\d+) \S+ \(source (\S+)#d+\)$</regex>
+  <order>dstip,dstport,srcip</order>
+</decoder>
 
 
 <!-- Postfix  decoder.
   - Will extract the srcip
-  - Examples: 
-  - postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 554 
-    <ce101@ce.metu.edu.tr>: Relay access denied; from=<kryonomm@yahoo.com> 
+  - Examples:
+  - postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 554
+    <ce101@ce.metu.edu.tr>: Relay access denied; from=<kryonomm@yahoo.com>
     to=<e10445@jubiipost.dk> proto=SMTP helo=<SM01.net>
   - postfix/smtpd[27712]: NOQUEUE: reject: MAIL from localhost[127.0.0.1]: 452 Insufficient system storage
  -->
@@ -652,25 +1053,25 @@
 
 <decoder name="postfix-reject">
   <use_own_name>true</use_own_name>
-  <parent>postfix</parent>  
+  <parent>postfix</parent>
   <prematch>^NOQUEUE: reject: \w\w\w\w from </prematch>
-  <regex offset="after_prematch">[(\d+.\d+.\d+.\d+)]: (\d+) </regex>
+  <regex offset="after_prematch">[(\S+)]:\d+: (\d+) |[(\S+)]:(\d+): |[(\S+)]: (\d+) |[(\S+)]:(\d+): </regex>
   <order>srcip,id</order>
 </decoder>
 
 <decoder name="postfix-sasl">
-  <parent>postfix</parent>  
+  <parent>postfix</parent>
   <prematch>^warning: \S+: SASL </prematch>
-  <regex>^warning: \S+[(\d+.\d+.\d+.\d+)]:</regex>
+  <regex>^warning: \S+[(\S+)]:</regex>
   <order>srcip</order>
 </decoder>
 
 
 <!-- Sendmail decoder.
   - Will extract the srcip
-  - Examples: 
-  - sendmail[15806618]: k1SN9pkK15806618: ruleset=check_mail, arg1=<rtreter@qffff.com>, 
-  - relay=dsl.static81215198185.ttnet.net.tr [81.215.198.185] (may be forged), reject=553 5.1.8 
+  - Examples:
+  - sendmail[15806618]: k1SN9pkK15806618: ruleset=check_mail, arg1=<rtreter@qffff.com>,
+  - relay=dsl.static81215198185.ttnet.net.tr [81.215.198.185] (may be forged), reject=553 5.1.8
   - <rtreter@qffff.com>... Domain of sender address rtreter@qffff.com does not exist
   - sm-msp-queue[13484]: k5TKj6L5012934: to=root, ctladdr=root (0/0), delay=00:04:00, xdelay=00:00:00, mailer=relay, pri=120112, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
   - sendmail[7735]: [ID 801593 mail.notice] k856Hah0007735: ruleset=check_rcpt, arg1=<sc@sd.com>, relay=[216.22.33.7], reject=553 5.3.0 <sc@sd.com>... Spammer 216.22.33.7 usergl@displaytoward.net rejected by RBL:http://www.spamhaus.org/
@@ -680,26 +1081,26 @@
  -->
 <decoder name="sendmail-reject">
   <program_name>^sendmail|^sm-mta|^sm-msp-queue</program_name>
-</decoder>  
+</decoder>
 
 <decoder name="sendmail-pre-greeting">
   <parent>sendmail-reject</parent>
   <prematch>^\S+: rejecting commands from</prematch>
-  <regex offset="after_prematch">^ \S+ [(\d+.\d+.\d+.\d+)]</regex>
+  <regex offset="after_prematch">^ \S+ [(\S+)]</regex>
   <order>srcip</order>
 </decoder>
 
 <decoder name="sendmail-reject-nodns">
   <parent>sendmail-reject</parent>
   <prematch>relay=[</prematch>
-  <regex offset="after_prematch">^(\d+.\d+.\d+.\d+)]</regex>
+  <regex offset="after_prematch">^(\S+)]</regex>
   <order>srcip</order>
 </decoder>
 
 <decoder name="sendmail-reject-dns">
   <parent>sendmail-reject</parent>
   <prematch>relay=\S+ [</prematch>
-  <regex offset="after_prematch">^(\d+.\d+.\d+.\d+)]</regex>
+  <regex offset="after_prematch">^(\S+)]</regex>
   <order>srcip</order>
 </decoder>
 
@@ -720,8 +1121,8 @@
   <program_name>^smf-sav</program_name>
   <prematch>^sender check failed|</prematch>
   <prematch>^sender check tempfailed</prematch>
-  <regex offset="after_prematch">^ \(cached\): \S+, (\d+.\d+.\d+.\d+),|</regex>
-  <regex>^: \S+, (\d+.\d+.\d+.\d+),</regex>
+  <regex offset="after_prematch">^ \(cached\): \S+, (\S+),|</regex>
+  <regex>^: \S+, (\S+),</regex>
   <order>srcip</order>
 </decoder>
 
@@ -730,12 +1131,12 @@
 <!-- Mail scanner
   - Will extract the srcip/action
   - Examples:
-  - MailScanner[24112]: Message k7B9Mc6b015925 from 
+  - MailScanner[24112]: Message k7B9Mc6b015925 from
   68.171.145.34 (nilsenator@hotmail.com) to yyyyy.no is spam, SpamAssassin
-  - May  3 16:28:40 jarjar MailScanner[4732]: Message k436SX2M005191 from  
+  - May  3 16:28:40 jarjar MailScanner[4732]: Message k436SX2M005191 from
   111.222.111.222 (david@our.domain.org) to our.domain.org is spam
   , SpamAssassin
-  - MailScanner[5317]: Message k436dCIW005370 from  
+  - MailScanner[5317]: Message k436dCIW005370 from
   111.222.111.222 (david@our.domain.org) to another.domain.org is not s
   pam, SpamAssassin
   - MailScanner[29107]: Message j0EMandY027564 from xxx.xxx.xxx.xxx(xxxxx@xxxxx.ie) to xxxxx.ie is not spam
@@ -747,11 +1148,45 @@
 <decoder name="mailscanner-ip">
   <parent>mailscanner</parent>
   <prematch>^Message \S+ from </prematch>
-  <regex offset="after_prematch">^(\d+.\d+.\d+.\d+) \S+ to \S+ is (\w+)</regex>
+  <regex offset="after_prematch">^(\S+) \S+ to \S+ is (\w+)</regex>
   <order>srcip, action</order>
 </decoder>
 
 
+<!-- OpenBSD smtpd decoders -->
+
+<decoder name="smtpd">
+  <program_name>^smtpd</program_name>
+</decoder>
+
+<decoder name="smtpd-client">
+  <parent>smtpd</parent>
+  <prematch offset="after_parent">^client</prematch>
+  <regex>^client (\S+) </regex>
+  <order>srcip</order>
+</decoder>
+
+<decoder name="smtpd-relay">
+  <parent>smtpd</parent>
+  <prematch>relay=</prematch>
+  <regex>relay=\S+ [(\S+)], </regex>
+  <order>srcip</order>
+</decoder>
+
+<decoder name="smtpd-in">
+  <parent>smtpd</parent>
+  <prematch offset="after_parent">^smtp-in: </prematch>
+  <regex offset="after_prematch">^(\S+) </regex>
+  <order>status</order>
+</decoder>
+
+<decoder name="smtpd-in">
+  <parent>smtpd</parent>
+  <regex> => (\d+) </regex>
+  <order>action</order>
+</decoder>
+
+
 <!-- Iptables decoder.
   - Will extract the srcip, dstip, srcport, dstport, protocol
   - Examples:
@@ -759,23 +1194,23 @@
     SRC=192.168.6.57 DST=216.161.248.225 LEN=40 TOS=0x00 PREC=0x00 TTL=64
     ID=18547 DF PROTO=TCP SPT=46388 DPT=37628 WINDOW=6930 RES=0x00 ACK RST
     URGn=0
-  - kernel: IPTABLE IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:03:93:db:2e:b4:08:00 
-    SRC=10.4.11.40 DST=255.255.255.255 LEN=180 TOS=0x00 PREC=0x00 TTL=64 
+  - kernel: IPTABLE IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:03:93:db:2e:b4:08:00
+    SRC=10.4.11.40 DST=255.255.255.255 LEN=180 TOS=0x00 PREC=0x00 TTL=64
     ID=4753 PROTO=UDP SPT=49320 DPT=2222 LEN=160
-  - kernel: [4475569.016000] IN= OUT=lo SRC=192.168.2.11 DST=192.168.2.11 
-    LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=49546 DF PROTO=TCP SPT=43068 
-    DPT=22 WINDOW=8192 RES=0x00 ACK URGP=0     
-  - Aug 17 10:03:37 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=1.2.3.36 DST=1.2.3.194 LEN=28 TOS=0x00 PREC=0x00 TTL=44 ID=60200 PROTO=ICMP TYPE=8 CODE=0 ID=10466 SEQ=21229   
+  - kernel: [4475569.016000] IN= OUT=lo SRC=192.168.2.11 DST=192.168.2.11
+    LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=49546 DF PROTO=TCP SPT=43068
+    DPT=22 WINDOW=8192 RES=0x00 ACK URGP=0
+  - Aug 17 10:03:37 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=1.2.3.36 DST=1.2.3.194 LEN=28 TOS=0x00 PREC=0x00 TTL=44 ID=60200 PROTO=ICMP TYPE=8 CODE=0 ID=10466 SEQ=21229
   -->
 <decoder name="iptables">
    <program_name>^kernel</program_name>
 </decoder>
-     
+
 <decoder name="iptables-1">
    <parent>iptables</parent>
    <type>firewall</type>
    <prematch>^[\d+.\d+] \S+ IN=</prematch>
-   
+
    <regex>^[\d+.\d+] (\S+) \.+ SRC=(\S+) DST=(\S+)</regex>
    <regex> \.+ PROTO=(\w+) </regex>
    <order>action,srcip,dstip,protocol</order>
@@ -792,7 +1227,7 @@
    <parent>iptables</parent>
    <type>firewall</type>
    <prematch>^\S+ IN=</prematch>
-   
+
    <regex>^(\S+) \.+ SRC=(\S+) DST=(\S+) \.+ </regex>
    <regex>PROTO=(\w+) </regex>
    <order>action,srcip,dstip,protocol</order>
@@ -809,7 +1244,7 @@
    <parent>iptables</parent>
    <type>firewall</type>
    <prematch>^Shorewall:\S+:</prematch>
-   
+
    <regex offset="after_prematch">^(\S+):\.+ SRC=(\S+) DST=(\S+) \.+ </regex>
    <regex>PROTO=(\w+) </regex>
    <order>action,srcip,dstip,protocol</order>
@@ -820,8 +1255,16 @@
    <type>firewall</type>
    <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex>
    <order>srcport,dstport</order>
-</decoder>   
+</decoder>
 
+<decoder name="iptables-shorewall2">
+  <parent>iptables</parent>
+  <type>firewall</type>
+  <prematch>^\p\S+\p Shorewall:\S+:</prematch>
+  <regex offset="after_prematch">^(\S+):\.+ SRC=(\S+) DST=(\S+) \.+ </regex>
+  <regex>PROTO=(\w+) </regex>
+  <order>action,srcip,dstip,protocol</order>
+</decoder>
 
 
 <!-- Solaris IPFilter decoder.
@@ -837,25 +1280,25 @@
 <decoder name="ipfilter">
    <type>firewall</type>
    <program_name>^ipmon</program_name>
-   <regex> (\w) (\d+.\d+.\d+.\d+),(\d+) -> </regex>
-   <regex>(\d+.\d+.\d+.\d+),(\d+) PR (\w+) </regex>
+   <regex> (\w) (\S+),(\d+) -> </regex>
+   <regex>(\S+),(\d+) PR (\w+) </regex>
    <order>action,srcip,srcport,dstip,dstport,protocol</order>
 </decoder>
-  
+
 
 <!-- AIX IPSec decoder.
   - Will extract the action,srcip,dstip,protocol,srcport,dstport
   - Examples:
-  - ipsec_logd: #:3 R:p  I:10.0.0.99 S:10.0.0.82 D:10.0.0.99 
+  - ipsec_logd: #:3 R:p  I:10.0.0.99 S:10.0.0.82 D:10.0.0.99
     P:tcp/ack SP:50349 DP:22 R:l I:en0 F:n T:0 L:88
-  - ipsec_logd: #:1 R:p  O:10.0.0.99. S:10.0.0.99 D:10.0.0.25 
-    P:udp SP:2063 DP:53 R:l I:en0 F:n T:0 L:81 
+  - ipsec_logd: #:1 R:p  O:10.0.0.99. S:10.0.0.99 D:10.0.0.25
+    P:udp SP:2063 DP:53 R:l I:en0 F:n T:0 L:81
  -->
 <decoder name="aix-ipsec">
    <type>firewall</type>
    <program_name>^ipsec_logd</program_name>
-   <regex> R:(\w)  \w:\S+ S:(\d+.\d+.\d+.\d+) </regex>
-   <regex>D:(\d+.\d+.\d+.\d+) P:(\S+) SP:(\d+) DP:(\d+) </regex>
+   <regex> R:(\w)  \w:\S+ S:(\S+) </regex>
+   <regex>D:(\S+) P:(\S+) SP:(\d+) DP:(\d+) </regex>
    <order>action,srcip,dstip,protocol,srcport,dstport</order>
 </decoder>
 
@@ -868,7 +1311,7 @@
   - Mar 30 15:47:05.522341 rule 4/(match) block in on lo0: 127.0.0.1.48784 > 127.0.0.1.23: S 1381529123:1381529123(0) win 16384 <mss 33184,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF) [tos 0x10]
   - Mar 30 15:54:22.171929 rule 3/(match) pass out on xl0: 192.168.2.10.1514 > 192.168.2.190.1030:  udp 73
   - Mar 30 15:54:22.174412 rule 3/(match) pass out on xl0: 192.168.2.10.1514 > 192.168.2.190.1030:  udp 89
-  
+
   -->
 <decoder name="pf">
    <type>firewall</type>
@@ -876,7 +1319,7 @@
    <plugin_decoder>PF_Decoder</plugin_decoder>
 </decoder>
 
-  
+
 
 <!-- SonicWall decoder.
   - Will extract action, srcip, dstip, protocol, srcport and dstport
@@ -901,21 +1344,21 @@
   - <13>Mar 16 15:27:56 192.168.2.1 ns5gt: NetScreen device_id=ns5gt  [No Name]system-notification-00257(traffic): start_time=\"2004-03-16 16:31:22\" duration=0 policy_id=310001 service=tcp/port:120 proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=60 src=10.1.1.1 dst=10.1.2.1 src_port=32047 dst_port=22
   - Jun  2 11:24:16 fire00 sav00: NetScreen device_id=sav00  [Root]system-critical-00436: Large ICMP packet! From 210.232.20.7 to 148.100.114.126, proto 1 (zone Untrust, int ethernet1/2). Occurred 1 times. (2006-06-02 11:24:16)
   -  NetScreen device_id=ns5gt [Root]system-critical-00027: Multiple login failures occurred for user netscreen from IP address 1.2.3.4:1567 (2004-10-07)
-  - 
+  -
   - ** Program name for netscreen is empty, since it is the hostname.
   -->
 <decoder name="netscreenfw">
   <program_name />
   <prematch>^NetScreen device_id</prematch>
-</decoder>  
+</decoder>
 
 <decoder name="netscreenfw-traffic">
   <parent>netscreenfw</parent>
   <type>firewall</type>
-  
+
   <prematch offset="after_parent">system-notification-00257</prematch>
   <prematch>\(traffic\): </prematch>
-  
+
   <regex offset="after_prematch"> proto=(\w+) \.+action=(\w+) </regex>
   <regex>\.+src=(\S+) dst=(\S+) src_port=(\d+) dst_port=(\d+)</regex>
   <order>protocol, action, srcip, dstip, srcport, dstport</order>
@@ -924,17 +1367,18 @@
 <decoder name="netscreenfw-critical">
   <parent>netscreenfw</parent>
   <prematch offset="after_parent">system-critical-\.+ from |</prematch>
-  <prematch>system-alert-\.+ from </prematch>
-  
+  <prematch>system-alert-\.+ from |</prematch>
+  <prematch>system-emergency-\.+ From </prematch>
+
   <regex offset="after_parent">system-(\w+)-(\d+): \.+ </regex>
-  <regex>from\.+(\d+.\d+.\d+.\d+)</regex>
+  <regex>from\.+(\S+)</regex>
   <order>action, id, srcip</order>
 </decoder>
 
 <decoder name="netscreenfw-admin">
   <parent>netscreenfw</parent>
   <regex offset="after_parent">system-(\w+)-(\d+):</regex>
-  <order>action, id</order>  
+  <order>action, id</order>
 </decoder>
 
 
@@ -946,7 +1390,7 @@
   - %PIX-3-106010: Deny inbound tcp src outside:213.98.79.233/2620 dst dmz:213.98.254.145/135
   - %PIX-3-106011: Deny inbound (No xlate) udp src outside:192.168.2.1/137
   dst outside:192.168.2.14/137
-  - %PIX-3-106011: Deny inbound (No xlate) tcp src inside:10.100.7.43/80 dst 
+  - %PIX-3-106011: Deny inbound (No xlate) tcp src inside:10.100.7.43/80 dst
   inside:10.100.4.71/2285
   - %PIX-3-710003: TCP access denied by ACL from 216.39.220.130/54065 to outside:62.192.113.98/ssh
   - %PIX-7-710001: TCP access requested from X.X.X.X/1292 to outside:Y.Y.Y.Y/ssh
@@ -956,7 +1400,7 @@
   - %PIX-2-106002: udp connection denied by outbound list 30 src 216.53.120.62 138 dest 169.132.10.82 138
   -  %PIX-4-106023: Deny tcp src inside:111.11.11.1/2143 dst YYY:172.11.1.11/139 by access-group "inside_inbound"
   - %PIX-4-400013 IDS:2003 ICMP redirect from 10.4.1.2 to 10.2.1.1 on interface dmz
-  - %PIX-2-106006: Deny inbound UDP from ***/20031 to ***/20031 on  
+  - %PIX-2-106006: Deny inbound UDP from ***/20031 to ***/20031 on
   interface vpn
   - %PIX-7-710002: TCP access permitted from 10.0.0.1/60749 to db:10.0.0.2/ssh
   - %PIX-6-305012: Teardown dynamic UDP translation from inside:1.1.1.1/12 to outside:1.2.1.2/11 duration 0:00:11.
@@ -987,7 +1431,7 @@
   <parent>pix</parent>
   <type>firewall</type>
   <prematch offset="after_parent">^3-710003|^7-710002|^7-710005</prematch>
-  <regex offset="after_parent">^(\S+): (\S+) \w+ (\w+)\.+from </regex>
+  <regex offset="after_parent">^(\S+): (\S+) \w+ (\w+) \.+from </regex>
   <regex>(\S+)/(\S+) to \w+:(\S+)/(\S+)</regex>
   <order>id, protocol, action, srcip, srcport, dstip, dstport</order>
 </decoder>
@@ -1015,7 +1459,7 @@
   <type>firewall</type>
   <prematch offset="after_parent">^2-106006|^2-106007</prematch>
   <regex offset="after_parent">^(\S+): (\w+) \S+ (\w+) from </regex>
-  <regex>(\d+.\d+.\d+.\d+)/(\d+) to (\d+.\d+.\d+.\d+)/(\d+) </regex>
+  <regex>(\S+)/(\d+) to (\S+)/(\d+) </regex>
   <order>id, action, protocol, srcip, srcport, dstip, dstport</order>
 </decoder>
 
@@ -1046,23 +1490,47 @@
   <order>id, action, protocol, srcip, srcport, dstip, dstport</order>
 </decoder>
 
+<decoder name="pix-url-success">
+  <parent>pix</parent>
+  <prematch offset="after_parent">^5-304001: </prematch>
+  <regex offset="after_parent">^(\S+): (\S+) Accessed URL </regex>
+  <regex>(\S+):(http\w*://\.+)|</regex>
+  <regex>^(\S+): (\S+) Accessed URL (\S+):</regex>
+  <order>id, srcip, dstip, url</order>
+</decoder>
+
+<decoder name="pix-url-deny">
+  <parent>pix</parent>
+  <prematch offset="after_parent">^5-304002: </prematch>
+  <regex offset="after_parent">^(\S+): Access (denied) URL (http\w*://\.+) </regex>
+  <regex>SRC (\S+) DEST (\S+) on interface</regex>  
+  <order>id, action, url, srcip, dstip</order>
+</decoder>
+
 <decoder name="pix-attacks">
   <parent>pix</parent>
   <prematch offset="after_parent">^2-106012: |^2-106017: |</prematch>
   <prematch>^2-106020|^1-106021|^1-106022|</prematch>
   <prematch>^4-4000</prematch>
-  <regex offset="after_parent">^(\S+): \.+ from (\d+.\d+.\d+.\d+) </regex>
+  <regex offset="after_parent">^(\S+): \.+ from (\S+) </regex>
   <order>id, srcip</order>
 </decoder>
 
 <decoder name="pix-srcip">
   <parent>pix</parent>
-  <prematch offset="after_parent">^6-605004|^6-308001|^6-605005</prematch>
-  <regex offset="after_parent">^(\S+): \.+ (\d+.\d+.\d+.\d+)</regex>
+  <prematch offset="after_parent">^6-308001</prematch>
+  <regex offset="after_parent">^(\S+): \.+ (\S+)</regex>
   <order>id, srcip</order>
 </decoder>
 
-<decoder name="pix-generic">
+<decoder name="pix-srcip-port">
+  <parent>pix</parent>
+  <prematch offset="after_parent">^6-605004|^6-605005</prematch>
+  <regex offset="after_parent">^(\S+): Login (\S+) from (\S+)/(\d+) \.+user "(\w+)"</regex>
+  <order>id, action, srcip, srcport, user</order>
+</decoder>
+
+<decoder name="pix-generic">
   <parent>pix</parent>
   <regex offset="after_parent">^(\S+): </regex>
   <order>id</order>
@@ -1071,7 +1539,7 @@
 
 
 <!-- Cisco VPN Concentrator
-  - Will exatract srcip and username.
+  - Will extract srcip and username.
   - Examples:
   -
   - Jan 8 09:10:37 vpn.example.com 11504 01/08/2007 09:10:37.780 SEV=3 AUTH/5 RPT=124 192.168.0.1 Authentication rejected: Reason = Unspecified handle = 805, server = auth.example.com, user = testuser, domain = <not specified>
@@ -1079,28 +1547,28 @@
   -->
 <decoder name="cisco-vpn-concentrator">
   <prematch>^\d+ \d\d/\d\d/\d\d\d\d \S+ SEV=\d </prematch>
-  <regex offset="after_prematch">^(\S+) RPT=\d+ (\d+.\d+.\d+.\d+) </regex>
+  <regex offset="after_prematch">^(\S+) RPT=\d+ (\S+) </regex>
   <order>id, srcip</order>
-</decoder> 
+</decoder>
 
 
 
 <!-- Snort decoder.
   - Will extract the id, srcip and dstip
   - Examples:
-  - snort: [1:469:3] ICMP PING NMAP [Classification: Attempted Information 
+  - snort: [1:469:3] ICMP PING NMAP [Classification: Attempted Information
     Leak] [Priority: 2]: {ICMP} 10.4.12.26 -> 10.4.10.231
-  - snort: [1:1420:11] SNMP trap tcp [Classification: Attempted Information 
+  - snort: [1:1420:11] SNMP trap tcp [Classification: Attempted Information
     Leak] [Priority: 2]: {TCP} 10.4.12.26:37020 -> 10.4.10.231:162
   - [**] [1:1054:7] WEB-MISC weblogic/tomcat .jsp view source attempt [**]
     [Classification: Web Application Attack]
     [Priority: 1]  10.4.12.26:34041 -> 66.179.53.37:80
   - [**] [1:1421:11] SNMP AgentX/tcp request [**]
     [Classification: Attempted Information Leak] [Priority: 2]
-    10.4.3.20:626 -> 10.4.10.161:705              
+    10.4.3.20:626 -> 10.4.10.161:705
   - [**] [1:1882:10] ATTACK-RESPONSES id check returned userid [**]
     [Classification: Potentially Bad Traffic] [Priority: 2]
-    {UDP} 192.168.20.32 -> 192.168.20.2  
+    {UDP} 192.168.20.32 -> 192.168.20.2
   -->
 
 <decoder name="snort">
@@ -1111,18 +1579,50 @@
   <type>ids</type>
   <prematch>^[**] [\d+:\d+:\d+] </prematch>
 </decoder>
-  
+
 <decoder name="snort2">
    <parent>snort</parent>
    <type>ids</type>
    <prematch>^[**] |^[\d+:\d+:\d+] </prematch>
-   <regex>^[**] [(\d+:\d+:\d+)] \.+ (\d+.\d+.\d+.\d+)\p*\d* -> </regex>
-   <regex>(\d+.\d+.\d+.\d+)|^[(\d+:\d+:\d+)] \.+ </regex>
-   <regex>(\d+.\d+.\d+.\d+)\p*\d* -> (\d+.\d+.\d+.\d+)</regex>
+   <regex>^[**] [(\d+:\d+:\d+)] \.+ (\S+)\p*\d* -> </regex>
+   <regex>(\S+)|^[(\d+:\d+:\d+)] \.+ </regex>
+   <regex>(\S+)\p*\d* -> (\S+)</regex>
    <order>id,srcip,dstip</order>
    <fts>name,id,srcip,dstip</fts>
 </decoder>
 
+<decoder name="snort3">
+   <parent>snort</parent>
+   <type>ids</type>
+   <prematch>^[Drop] [**] |^[\d+:\d+:\d+] </prematch>
+   <regex>^[Drop] [**] [(\d+:\d+:\d+)] \.+ (\S+)\p*\d* -> </regex>
+   <regex>(\S+)|^[(\d+:\d+:\d+)] \.+ </regex>
+   <regex>(\S+)\p*\d* -> (\S+)</regex>
+   <order>id,srcip,dstip</order>
+   <fts>name,id,srcip,dstip</fts>
+</decoder>
+
+
+<!-- OpenBSD isakmpd decoders -->
+
+<decoder name="isakmpd">
+  <program_name>^isakmpd</program_name>
+</decoder>
+
+<decoder name="isakmpd-from">
+  <parent>isakmpd</parent>
+  <prematch>message from </prematch>
+  <regex>from (\S+) port (\d+)</regex>
+  <order>srcip,srcport</order>
+</decoder>
+
+<decoder name="isakmpd-peer">
+  <parent>isakmpd</parent>
+  <prematch>from peer</prematch>
+  <regex>from peer (\S+):(\d+)$</regex>
+  <order>srcip,srcport</order>
+</decoder>
+
 
 
 <!-- Suhosin decoder.
@@ -1130,12 +1630,12 @@
   - Examples:
   - suhosin[76366]: ALERT - canary mismatch on efree() - heap overflow detected (attacker '200.139.164.149', file 'xyz')
   - suhosin[24239]: ALERT - configured request variable value length limit exceeded - dropped variable 'introtext' (attacker '192.168.1.2', file '/var/www/site/administrator/index2.php')
-  - suhosin[32150]: ALERT - configured POST variable limit exceeded - dropped variable 'setting[sg_allow_delete_empty_group]' (attacker '32.104.x.y', file '/home/htdocs/admincp/options.php') 
+  - suhosin[32150]: ALERT - configured POST variable limit exceeded - dropped variable 'setting[sg_allow_delete_empty_group]' (attacker '32.104.x.y', file '/home/htdocs/admincp/options.php')
   -->
 <decoder name="suhosin">
   <program_name>^suhosin</program_name>
   <type>ids</type>
-  <regex>^ALERT - (\.+) \(attacker '(\d+.\d+.\d+.\d+)', </regex>
+  <regex>^ALERT - (\.+) \(attacker '(\S+)', </regex>
   <order>id, srcip</order>
   <fts>name, location, id</fts>
 </decoder>
@@ -1152,13 +1652,13 @@
    <type>ids</type>
    <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\|</prematch>
    <regex offset="after_prematch">^\S+\|(\S+)\|</regex>
-   <regex>(\d+.\d+.\d+.\d+)\|(\d+.\d+.\d+.\d+)\|</regex>
+   <regex>(\S+)\|(\S+)\|</regex>
    <order>id, srcip, dstip</order>
    <fts>name, id, srcip, dstip</fts>
 </decoder>
-                        
-   
-   
+
+
+
 <!-- Horde decoder
   - Will extract: username and srcip.
   - Examples:
@@ -1167,19 +1667,19 @@
   -->
 <decoder name="horde_imp">
   <prematch>^[\w+] [imp] |^[\w+] [horde] </prematch>
-</decoder>  
+</decoder>
 
 <decoder name="horde_imp_success">
   <parent>horde_imp</parent>
   <prematch offset="after_parent">^Login success </prematch>
-  <regex offset="after_prematch">^for (\S+) [(\d+.\d+.\d+.\d+)] </regex>
+  <regex offset="after_prematch">^for (\S+) [(\S+)] </regex>
   <order>user, srcip</order>
 </decoder>
 
 <decoder name="horde_imp_failed">
   <parent>horde_imp</parent>
   <prematch offset="after_parent">^FAILED LOGIN</prematch>
-  <regex offset="after_prematch">^ (\d+.\d+.\d+.\d+) to \S+ as (\S+) </regex>
+  <regex offset="after_prematch">^ (\S+) to \S+ as (\S+) </regex>
   <order>srcip, user</order> 
 </decoder>
 
@@ -1190,11 +1690,12 @@
   - Examples:
   - WPsyslog[14382]: [127.0.0.1 na] Info: User authentication failed. User name: lala
   - WPsyslog[14382]: [127.0.0.1 na] Info: User logged in. User name: admin (admin).
+  - wpcore[14554]: [127.0.0.1 na] http://megasite.com/wordpress Info: User authentication failed. User name: qwe.
   -->
 <decoder name="wordpress">
-  <program_name>^WPsyslog</program_name>
+  <program_name>^WPsyslog|^wpcore</program_name>
   <prematch>^[</prematch>
-  <regex offset="after_prematch">^(\d+.\d+.\d+.\d+) </regex>
+  <regex offset="after_prematch">^(\S+) </regex>
   <order>srcip</order>
 </decoder>
 
@@ -1202,60 +1703,110 @@
 
 <!-- Roundcube decoder
  - Will extract username and src IP from the logs, when available.
-   Examples:
- - Apr 10 22:45:20 hostname roundcube: [10-Apr-2009 22:45:20 -0500] IMAP
-   Error: Authentication for username failed (LOGIN): "a001 NO Authentication
-   failed." (POST /roundcube/?_task=&_action=login)
- - Apr 10 23:01:23 hostname roundcube: [10-Apr-2009 23:01:23 -0500]:
-   Successful login for username (id 1) from 127.0.0.1
+
+   Examples syslog: (older and newer versions of roundcube)
+ - Apr 10 22:45:20 hostname roundcube: [10-Apr-2009 22:45:20 -0500] IMAP Error: Authentication for username failed (LOGIN): "a001 NO Authentication failed." (POST /roundcube/?_task=&_action=login)
+ - Apr 10 23:01:23 hostname roundcube: [10-Apr-2009 23:01:23 -0500]: Successful login for username (id 1) from 127.0.0.1
+ - Oct 28 19:31:08 hostname roundcube: <isj89gtf> IMAP Error: Login failed for username from 127.0.0.1. AUTHENTICATE PLAIN: Authentication failed. in /var/www/html/roundcube/program/lib/Roundcube/rcube_imap.php on line 193 (POST /roundcube/?_task=login&_action=login)
+
+   Example from roundcube internal logfile (/path/to/roundcube/logs/errors):
+ - [04-Oct-2017 17:03:30 +0200]: <jkgnfe79> IMAP Error: Login failed for username from 127.0.0.1. AUTHENTICATE PLAIN: Authentication failed. in /var/www/html/roundcube/program/lib/Roundcube/rcube_imap.php on line 193 (POST /roundcube/?_task=login&_action=login)
+
+   Examples if log_logins is enabled (/path/to/roundcube/logs/userlogins):
+ - [04-Oct-2017 16:08:01 +0200]: <lrpo6s0r> Failed login for test from 127.0.0.1 in session abcdefg (error: 0)
+ - [04-Oct-2017 16:09:17 +0200]: <4bd4jqqc> Successful login for test (ID: 6) from 127.0.0.1 in session abcdefg
 -->
+
 <decoder name="roundcube">
   <program_name>^roundcube</program_name>
+</decoder>
+
+<decoder name="roundcube">
   <prematch>^[\d\d-\w\w\w-\d\d\d\d \d\d:\d\d:\d\d \S+]</prematch>
 </decoder>
 
 <decoder name="roundcube-success">
   <parent>roundcube</parent>
-  <prematch>^: Successful login for </prematch>
-  <regex offset="after_prematch">^(\S+) \(id \d+\) from (\d+.\d+.\d+.\d+)$</regex>
+  <prematch> Successful login for </prematch>
+  <regex offset="after_prematch">^(\S+) \(id \d+\) from (\S+)$|^(\S+) \(ID: \d+\) from (\S+)</regex>
   <order>user, srcip</order>
 </decoder>
 
-<decoder name="roundcube-denied">
+<decoder name="roundcube-denied-old">
   <parent>roundcube</parent>
-  <prematch>^ \w+ Error: Authentication </prematch>
-  <regex offset="after_prematch">^for (\.+) failed</regex>
+  <prematch>] \w+ Error: Authentication </prematch>
+  <regex offset="after_prematch">^for (\S+) failed</regex>
   <order>user</order>
 </decoder>
 
+<decoder name="roundcube-denied-new">
+  <parent>roundcube</parent>
+  <prematch>> \w+ Error: Login failed |> Failed login </prematch>
+  <regex offset="after_prematch">^for (\S+) from (\S+)\. |^for (\S+) from (\S+) in session </regex>
+  <order>user, srcip</order>
+</decoder>
+
 
 
 <!-- Apache decoder.
+  - Updated by jesus@wazuh.com. 2016/02/17
   - Will extract the srcip
   - Examples:
-  - [error] [client 80.230.208.105] Directory index forbidden by rule: /home/
-  - [error] [client 64.94.163.159] Client sent malformed Host header
-  - [error] [client 66.31.142.16] File does not exist: /var/www/html/default.ida
-  - [notice] Apache configured  
-  - httpd[18660]: [error] [client 12.34.56.78] File does not exist: /usr/local/htdocs/cache
-  - httpd[23745]: [error] [client 12.34.56.78] PHP Notice:
-  -->
+  - Without ID: Will extract the srcip and srcport (when it is available)
+      - [error] [client 80.230.208.105] Directory index forbidden by rule: /home/
+      - [error] [client 64.94.163.159] Client sent malformed Host header
+      - [error] [client 66.31.142.16] File does not exist: /var/www/html/default.ida
+      - [Sun Nov 23 18:49:01.713508 2014] [:error] [pid 15816] [client 141.8.147.9:51507] PHP Notice:  A non well formed numeric value encountered in /path/to/file.php on line 123
+      - Feb 17 18:00:00 myhost httpd[18660]: [error] [client 12.34.56.78] File does not exist: /usr/local/htdocs/cache
+      - Feb 17 18:00:00 myhost httpd[23745]: [error] [client 12.34.56.78] PHP Notice:
+  - With IP + ID: Will extract the srcip, id, and srcport (when it is available)
+      - [Tue Sep 30 11:30:13.262255 2014] [core:error] [pid 20101] [client 99.47.227.95:34567] AH00037: Symbolic link not allowed or link target not accessible: /usr/share/awstats/icon/mime/document.png
+      - [Tue Sep 30 12:24:22.891366 2014] [proxy:warn] [pid 2331] [client 77.127.180.111:54082] AH01136: Unescaped URL path matched ProxyPass; ignoring unsafe nocanon, referer: http://www.easylinker.co.il/he/links.aspx?user=bguyb
+      - [Tue Sep 30 14:25:44.895897 2014] [authz_core:error] [pid 31858] [client 99.47.227.95:38870] AH01630: client denied by server configuration: /var/www/example.com/docroot/
+      - [Thu Oct 23 15:17:55.926067 2014] [ssl:info] [pid 18838] [client 36.226.119.49:2359] AH02008: SSL library error 1 in handshake (server www.example.com:443)
+      - ModSecurity
+        - [Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223] [client 10.10.10.10] ModSecurity: Access denied with code 403 (phase 2). Text...
+        - [Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223] [client 10.10.10.10:5555] ModSecurity: Access denied with code 403 (phase 2). Text...
+  - Others
+      - [notice] Apache configured
+      - [Thu Oct 23 15:17:55.926123 2014] [ssl:info] [pid 18838] SSL Library Error: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request -- speaking HTTP to HTTPS port!?
+      - [Tue Sep 30 12:11:21.258612 2014] [ssl:error] [pid 30473] AH02032: Hostname www.example.com provided via SNI and hostname ssl://www.example.com provided via HTTP are different
+-->
+
 <decoder name="apache-errorlog">
-  <program_name>^httpd</program_name>
-</decoder>  
+    <program_name>^httpd</program_name>
+</decoder>
 
 <decoder name="apache-errorlog">
-  <prematch>^[warn] |^[notice] |^[error] </prematch>
-</decoder>  
+    <prematch>^[warn] |^[notice] |^[error] </prematch>
+</decoder>
 
-<decoder name="apache-errorlog-ip">
-  <parent>apache-errorlog</parent>
-  
-  <prematch offset="after_parent">^[client</prematch>
-  <regex offset="after_prematch">^ (\d+.\d+.\d+.\d+)] </regex>
-  <order>srcip</order>
-</decoder> 
+<decoder name="apache-errorlog">
+    <prematch>^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:warn] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:notice] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S*:error] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:info] </prematch>
+</decoder>
+
+
+<decoder name="apache24-errorlog-ip-port">
+    <parent>apache-errorlog</parent>
+    <prematch offset="after_parent">[client \S+:\d+] \S+:</prematch>
+    <regex offset="after_parent">[client (\S+):(\d+)] (\S+): </regex>
+    <order>srcip,srcport,id</order>
+</decoder>
 
+<decoder name="apache24-errorlog-ip">
+    <parent>apache-errorlog</parent>
+    <prematch offset="after_parent">[client \S+] \S+:</prematch>
+    <regex offset="after_parent">[client (\S+)] (\S+): </regex>
+    <order>srcip,id</order>
+</decoder>
+
+
+<decoder name="apache-errorlog-ip">
+    <parent>apache-errorlog</parent>
+    <prematch offset="after_parent">[client</prematch>
+    <regex offset="after_prematch">^ (\S+):(\d+)] |^ (\S+)] </regex>
+    <order>srcip,srcport</order>
+</decoder>
 
 
 
@@ -1272,7 +1823,7 @@
 <decoder name="nginx-errorlog-ip">
   <parent>nginx-errorlog</parent>
   <prematch offset="after_parent">, client: \S+, server: \S+, request: "\S+ </prematch>
-  <regex offset="after_parent">, client: (\d+.\d+.\d+.\d+), </regex> 
+  <regex offset="after_parent">, client: (\S+), </regex> 
   <order>srcip</order>
 </decoder>
 
@@ -1286,18 +1837,19 @@
   - Examples:
   -  63.91.167.39 - - [03/Aug/2001:21:56:18 -0700] "GET /default.ida?NNNN
   -  206.78.62.16 - - [06/Aug/2001:08:57:08 -0700] "GET /default.ida?XX
-  -  5.211.112.6 - - [04/Feb/2003:16:17:30 -0500] "GET /mod_ssl:error: 
+  -  5.211.112.6 - - [04/Feb/2003:16:17:30 -0500] "GET /mod_ssl:error:
   -  192.168.2.190 - - [18/Jan/2006:13:10:06 -0500] "GET /xxx.html HTTP/1.1"
      200 1732
-  -  1.1.1.1 - username [18/Jan/2006:13:10:06 -0500] "GET /xxx.html HTTP/1.1"   
+  -  1.1.1.1 - username [18/Jan/2006:13:10:06 -0500] "GET /xxx.html HTTP/1.1"
   -  123.4.5.6 aa.xx.com - [05/Nov/2006:00:46:56 -0500] "GET / HTTP/1.1" 302 -
+  - ::ffff:202.194.15.192 190.7.138.180 - [18/Oct/2010:10:48:55 -0500] "GET //php-my-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 345 "-"  "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
   -->
 <decoder name="web-accesslog">
   <type>web-log</type>
-  <prematch>^\d+.\d+.\d+.\d+ </prematch>
-  <regex>^(\d+.\d+.\d+.\d+) \S+ \S+ [\S+ \S\d+] </regex>
-  <regex>"\w+ (\S+) HTTP\S+ (\d+) </regex>
-  <order>srcip, url, id</order>
+  <prematch>^\S+ \S+ \S+ [\S+ \S\d+] "\w+ \S+ HTTP\S+" </prematch>
+  <regex>^(\S+) \S+ (\S+) [\S+ \S\d+] </regex>
+  <regex>"(\w+) (\S+) HTTP\S+" (\d+) </regex>
+  <order>srcip, srcuser, action, url, id</order>
 </decoder>
 
 
@@ -1310,7 +1862,7 @@
 <decoder name="windows-date-format">
   <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d </prematch>
 </decoder>
- 
+
 
 
 <!-- Windows firewall decoder.
@@ -1330,8 +1882,8 @@
   <regex>(\S+) (\S+) (\d+) (\d+) </regex>
   <order>action, protocol, srcip, dstip, srcport, dstport</order>
 </decoder>
- 
- 
+
+
 <!-- IIS 5 WWW W3C log format.
   - #Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs-host cs(User-Agent) cs(Referer)
   - Examples:
@@ -1341,8 +1893,8 @@
   <parent>windows-date-format</parent>
   <type>web-log</type>
   <use_own_name>true</use_own_name>
-  <prematch offset="after_parent">^\d+.\d+.\d+.\d+ \S+ W3SVC</prematch>
-  <regex offset="after_parent">^(\d+.\d+.\d+.\d+) \S+ \S+ \S+ \S+ </regex>
+  <prematch offset="after_parent">^\S+ \S+ W3SVC</prematch>
+  <regex offset="after_parent">^(\S+) \S+ \S+ \S+ \S+ </regex>
   <regex>\d+ \S+ (\S+ \S+) (\d+) </regex>
   <order>srcip,url,id</order>
 </decoder>
@@ -1361,11 +1913,32 @@
   <type>web-log</type>
   <use_own_name>true</use_own_name>
   <prematch offset="after_parent">^W3SVC\d+ \S+ \S+ \S+ </prematch>
-  <regex offset="after_prematch">^(\S+ \S+) \d+ \S+ (\d+.\d+.\d+.\d+) </regex>
+  <regex offset="after_prematch">^(\S+ \S+) \d+ \S+ (\S+) </regex>
   <regex>\S+ \S+ \S+ \S+ \S+ (\d+) </regex>
   <order>url, srcip, id</order>
 </decoder>
 
+<!-- Windows IIS decoder for default settings
+  -  Tested with IIS 7.5 and IIS 8.5 (Windows 2008R2 and Windows 2012R2)
+  -  Will extract URL, Source IP, and HTTP response code
+  -  Examples:
+  -  IIS 7.5
+  -  2015-07-28 15:07:26 1.2.3.4 GET /QOsa/Browser/Default.aspx UISessionId=SN1234123&DeviceId=SN12312232SHARP+MX-4111N 80 - 31.3.3.7 OpenSystems/1.0;+product-family="85";+product-version="123ER123" 302 0 0 624
+  -  IIS 8.5
+  -  2015-03-11 20:28:21 1.2.3.4 GET /certsrv/Default.asp - 80 - 31.3.3.7 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/7.0) - 401 2 5 0
+  -  2015-03-11 21:59:09 1.2.3.4 GET /console/faces/com_sun_web_ui/jsp/version/version_30.jsp - 80 - 31.3.3.7 Sun+Web+Console+Fingerprinter/7.15 - 404 0 2 0
+  -  2015-03-11 22:01:58 1.2.3.4 GET /IISADMPWD/aexp.htr - 80 - 31.3.3.7 - - 404 0 2 0
+-->
+
+<decoder name="web-accesslog-iis-default">
+  <parent>windows-date-format</parent>
+  <type>web-log</type>
+  <use_own_name>true</use_own_name>
+  <prematch offset="after_parent">^\S+ GET |^\S+ POST </prematch>
+  <regex offset="after_prematch">(\S+ \S*) \.* (\S+) \S*\.* (\d\d\d) \S+ \S+ \S+</regex>
+  <order>url,srcip,id</order>
+</decoder>
+
 
 <!-- IIS 5 W3C FTP log format.
   - Examples:
@@ -1376,11 +1949,11 @@
 <decoder name="msftp">
   <parent>windows-date-format</parent>
   <use_own_name>true</use_own_name>
-  <prematch offset="after_parent">^\d+.\d+.\d+.\d+ \S+ MSFTPSVC</prematch>
-  <regex offset="after_parent">^(\d+.\d+.\d+.\d+) (\S+) \S+ \S+ \S+ </regex>
+  <prematch offset="after_parent">^\S+ \S+ MSFTPSVC</prematch>
+  <regex offset="after_parent">^(\S+) (\S+) \S+ \S+ \S+ </regex>
   <regex>\d+ [\d+](\S+) \S+ \S+ (\d+) </regex>
   <order>srcip,user,action,id</order>
-</decoder>  
+</decoder>
 
 
 
@@ -1393,8 +1966,8 @@
 <decoder name="msexchange">
   <parent>windows-date-format</parent>
   <use_own_name>true</use_own_name>
-  <prematch offset="after_parent">^\d+.\d+.\d+.\d+ \S+ SMTPSVC</prematch>
-  <regex offset="after_parent">^(\d+.\d+.\d+.\d+) \S+ \S+ \S+ \S+ </regex>
+  <prematch offset="after_parent">^\S+ \S+ SMTPSVC</prematch>
+  <regex offset="after_parent">^(\S+) \S+ \S+ \S+ \S+ </regex>
   <regex>\d+ (\S+) \S+ \S+ (\d+) </regex>
   <order>srcip, action, id</order>
 </decoder>
@@ -1404,7 +1977,7 @@
 <!-- Racoon VPN.
   - Extract id (error or info) and ip address whenever possible.
   - 2006-08-08 01:42:09: ERROR: couldn't find the pskey for 222.155.15.88.
-  - 
+  -
   -->
 <decoder name="racoon">
   <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d: </prematch>
@@ -1413,9 +1986,9 @@
 <decoder name="racoon-failed">
   <parent>racoon</parent>
   <use_own_name>true</use_own_name>
-    
+
   <prematch offset="after_parent">^ERROR: couldn't find the pskey </prematch>
-  <regex offset="after_prematch">^for (\d+.\d+.\d+.\d+)</regex>
+  <regex offset="after_prematch">^for (\S+)</regex>
   <order>srcip</order>
 </decoder>
 
@@ -1425,50 +1998,60 @@
   <order>action</order>
 </decoder>
 
-            
-
-<!-- Squid access log decoder.
-  - Will extract the srcip.
-  - Author: Ahmet Ozturk
-  - Examples:
-  - 1140701044.525   1231 192.168.1.201 TCP_DENIED/400 1536
-    GET ahmet - NONE/- text/html
-  - 1140701230.827    781 192.168.1.210 TCP_DENIED/407 1785
-    GET http://www.ossec.net oahmet NONE/- text/html
-  -->
-<decoder name="squid-accesslog">
-  <type>squid</type>
-  <prematch>^\d+ \d+.\d+.\d+.\d+ </prematch>
-  <regex>^\d+ (\d+.\d+.\d+.\d+) (\w+)/(\d+) \d+ \w+ (\S+) </regex>
-  <order>srcip,action,id,url</order>
-</decoder>  
 
 
 <!-- Windows decoder
   - Will extract extra_data (as win source),action (as win category), id,
   - username and computer name (as system_name).
   - Examples:
-  - WinEvtLog: Application: INFORMATION(0x00000064): ESENT: 
-    (no user)(no domain): 
-  - WinEvtLog: Security: AUDIT_FAILURE(0x000002A9): Security: 
-    SYSTEM: NT AUTHORITY: The logon to account: xyz    by: 
-    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0    from workstation: la    failed. 
+  - WinEvtLog: Application: INFORMATION(0x00000064): ESENT:
+    (no user)(no domain):
+  - WinEvtLog: Security: AUDIT_FAILURE(0x000002A9): Security:
+    SYSTEM: NT AUTHORITY: The logon to account: xyz    by:
+    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0    from workstation: la    failed.
     The error code was: 3221225572
-  - WinEvtLog: Security: AUDIT_FAILURE(0x00000211): Security: 
-    SYSTEM: NT AUTHORITY: Logon Failure:      Reason:     Unknown user 
-    name or bad password       User Name:  ab      Domain:     cd      
-    Logon Type: 2       Logon Process:  User32          Authentication 
+  - WinEvtLog: Security: AUDIT_FAILURE(0x00000211): Security:
+    SYSTEM: NT AUTHORITY: Logon Failure:      Reason:     Unknown user
+    name or bad password       User Name:  ab      Domain:     cd
+    Logon Type: 2       Logon Process:  User32          Authentication
     Package: Negotiate       Workstation Name:   ad
-  - WinEvtLog: Security: AUDIT_SUCCESS(538): Security: lac: OSSEC-HM: OSSEC-HM: User Logoff:        User Name:      lac     Domain:         OSSEC-HM        Logon ID:               (0x0,0x7C966E)          Logon Type:     2  
+  - WinEvtLog: Security: AUDIT_SUCCESS(538): Security: lac: OSSEC-HM: OSSEC-HM: User Logoff:        User Name:      lac     Domain:         OSSEC-HM        Logon ID:               (0x0,0x7C966E)          Logon Type:     2
+  - 2013 Oct 09 17:09:04 WinEvtLog: Application: INFORMATION(1): My Script: (no user): no domain: demo1.foo.example.com: test
   -->
 <decoder name="windows">
   <type>windows</type>
-  <prematch>^WinEvtLog: </prematch>
-  <regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): </regex>
+  <program_name>^WinEvtLog</program_name>
+</decoder>
+
+<decoder name="windows1">
+  <type>windows</type>
+  <parent>windows</parent>
+  <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex>
   <regex>(\.+): \.+: (\S+): </regex>
   <order>status, id, extra_data, user, system_name</order>
-  <fts>name, location, user, system_name</fts>
-</decoder>    
+  <fts>name, location, system_name</fts>
+</decoder>
+
+<decoder name="windows1">
+  <type>windows</type>
+  <parent>windows</parent>
+  <regex> Source Network Address: (\S+)</regex>
+  <order>srcip</order>
+</decoder>
+
+<decoder name="windows1">
+  <type>windows</type>
+  <parent>windows</parent>
+  <regex> Account Name:\s+(\w+\.+)\s+Account</regex>
+  <order>user</order>
+</decoder>
+
+<decoder name="windows1">
+  <type>windows</type>
+  <parent>windows</parent>
+  <regex>Account Domain:\s\s+(\w\.+)\s\s+Logon ID:</regex>
+  <order>extra_data</order>
+</decoder>
 
 
 <!-- Windows decoder -NTsyslog format
@@ -1486,7 +2069,7 @@
 </decoder>
 
 
-<!-- Windows decoder - Snare format. 
+<!-- Windows decoder - Snare format.
   - Will extract extra_data (as win source), action (as category), id,
   - username and computer name (as system_name).
   -
@@ -1513,7 +2096,7 @@
   -->
 <decoder name="windows-snare">
   <type>windows</type>
-  <prematch>^MSWinEventLog\t\d\t\.+\t\d+\t\w\w\w \w\w\w \d\d \d\d</prematch>
+  <prematch>^MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d \d\d</prematch>
   <regex offset="after_prematch">^:\d\d:\d\d \d\d\d\d\t(\d+)\t(\.+)</regex>
   <regex>\t(\.+)\t\.+\t(\.+)\t(\.+)\t</regex>
   <order>id, extra_data, user, status, system_name</order>
@@ -1571,23 +2154,49 @@
 <decoder name="ossec">
   <prematch>^ossec: </prematch>
   <type>ossec</type>
-</decoder>  
+</decoder>
+
+<decoder name="ossec-logcollector">
+  <type>ossec</type>
+  <prematch>^\d\d\d\d/\d\d/\d\d \d\d:\d\d:\d\d ossec-logcollector</prematch>
+  <regex offset="after_prematch">^\(\d+\): (\.)</regex>
+  <order>extra_data</order>
+</decoder>
 
 <decoder name="ossec-agent">
   <parent>ossec</parent>
   <type>ossec</type>
   <prematch offset="after_parent">^Agent started:</prematch>
-  <regex offset="after_prematch">^ '(\S+)'</regex>
+  <regex offset="after_prematch">^ '(\S+\S)'</regex>
   <order>extra_data</order>
   <fts>name, location, extra_data</fts>
 </decoder>
 
+<decoder name="ossec-alert1">
+   <parent>ossec</parent>
+   <prematch>^ossec: Alert Level:</prematch>
+   <plugin_decoder>OSSECAlert_Decoder</plugin_decoder>
+</decoder>
+
 <decoder name="ossec-alert">
   <program_name>^ossec$</program_name>
   <plugin_decoder>OSSECAlert_Decoder</plugin_decoder>
-</decoder>  
+</decoder>
 
+<!-- decoder for active responses as logged by an OSSEC agent or server
 
+- Examples
+Sat May  7 03:17:27 CDT 2011 /var/ossec/active-response/bin/host-deny.sh add - 172.16.0.1 1304756247.60385 31151
+Sat May  7 03:17:27 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh add - 172.16.0.1 1304756247.60385 31151
+Sat May  7 03:27:57 CDT 2011 /var/ossec/active-response/bin/host-deny.sh delete - 172.16.0.1 1304756247.60385 31151
+Sat May  7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - 172.16.0.1 1304756247.60385 31151
+-->
+
+<decoder name="ar_log">
+  <prematch>^\w\w\w \w+\s+\d+ \d\d:\d\d:\d\d \w+ \d+ /\S+/active-response</prematch>
+  <regex offset="after_prematch">/bin/(\S+) (\S+) - (\S+) (\d+.\d+) (\d+)</regex>
+  <order>action, status, srcip, id, extra_data</order>
+</decoder>
 
 <!-- Zeus decoder.
   - Will extract the severity and the srcip/username when available.
@@ -1604,7 +2213,7 @@
 
 
 <!-- Vmware ESX logs.
-  - Will extract the severity and username/ip when availavle.
+  - Will extract the severity and username/ip when available.
   - Examples:
   - [2008-03-09 22:43:35.924 'ha-eventmgr' 84503472 info] Event 2053 : User root@127.0.0.1 logged in
   - [2008-02-05 02:13:18.112 'ha-eventmgr' 95833272 info] Event xyz : User m@1.2.3.4 logged in
@@ -1615,20 +2224,20 @@
   -->
 <decoder name="vmware">
   <prematch>^[\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d.\d\d\d '\S+' \d+ </prematch>
-</decoder>  
+</decoder>
 
 <decoder name="vmware-extra">
   <parent>vmware</parent>
   <regex offset="after_parent">^(\w+)] \S+ \S+ </regex>
   <order>status</order>
-</decoder>  
+</decoder>
 
 <decoder name="vmware-extra">
   <parent>vmware</parent>
-  <regex offset="after_regex">^: User (\w+)@(\d+.\d+.\d+.\d+)</regex>
-  <regex> logged |^: Failed login \w+ for (\w+)@(\d+.\d+.\d+.\d+)</regex>
+  <regex offset="after_regex">^: User (\w+)@(\S+)</regex>
+  <regex> logged |^: Failed login \w+ for (\w+)@(\S+)</regex>
   <order>user, srcip</order>
-</decoder>  
+</decoder>
 
 <decoder name="vmware-syslog">
   <program_name>vmware</program_name>
@@ -1640,7 +2249,7 @@
   <regex offset="after_prematch">^ \S+ for user (\S+) from (\S+)$</regex>
   <order>user, srcip</order>
 </decoder>
-          
+
 <decoder name="vmware-login">
   <parent>vmware-syslog</parent>
   <prematch>^login from </prematch>
@@ -1657,7 +2266,7 @@
   - Nov 21 15:16:22 unknown audit: [ID 984917 audit.notice] login - telnet
     failed session 2740580090 by root as root:root from 1.254.168.192
   - failed session 2740580090 by root as root:root from 1.254.168.192
-  - ok session 347344759 by 500959152 as root:root from 3.11.8.4 obj   
+  - ok session 347344759 by 500959152 as root:root from 3.11.8.4 obj
   -->
 <decoder name="solaris_bsm">
   <program_name>^audit$</program_name>
@@ -1689,14 +2298,40 @@
   <program_name>^asterisk</program_name>
 </decoder>
 
+<decoder name="asterisk-hijacking">
+  <parent>asterisk</parent>
+  <prematch>^WARNING[\d+]: \S+ in \S+: Don't know </prematch>
+  <regex offset="after_prematch">^\S+ how to respond via '(\w+/\d.\d/\w+)'</regex>
+  <order>user</order>
+</decoder>
+
 <decoder name="asterisk-denied">
   <parent>asterisk</parent>
   <prematch>^NOTICE[\d+]: \S+ in \S+: Registration from </prematch>
-  <regex offset="after_prematch">^\S+ failed for '(\d+.\d+.\d+.\d+)'</regex>
-  <order>srcip</order>
+  <regex offset="after_prematch">^'\.+' failed for '(\S+):(\d+)'|^'\.+' failed for '(\S+)'</regex>
+  <order>srcip,srcport</order>
 </decoder>
 
+<decoder name="asterisk-denied2">
+  <parent>asterisk</parent>
+  <prematch>Registration from </prematch>
+  <regex offset="after_prematch">failed for '(\S+):(\d+)'|failed for '(\S+)'</regex>
+  <order>srcip,srcport</order>
+</decoder>
+
+<decoder name="asterisk-denied3">
+  <parent>asterisk</parent>
+  <prematch>^NOTICE[\d+][\w+]: \S+ in \S+: Call from </prematch>
+  <regex offset="after_prematch">^'\S*' \((\S+):(\d+)\) to extension '(\S+)' rejected because extension not found in context '(\S+)'.$</regex>
+  <order>srcip, srcport, extra_data, extra_data</order>
+</decoder>
 
+<decoder name="asterisk-iax-authentication-denied">
+  <parent>asterisk</parent>
+  <prematch>^NOTICE[\d+]: \S+ in \S+: Host </prematch>
+  <regex offset="after_prematch">^(\S+) failed MD5 authentication for (\S+)</regex>
+  <order>srcip, user</order>
+</decoder>
 
 <!-- Cisco IOS
   - Group for Cisco IOS messages.
@@ -1721,8 +2356,8 @@
   <program_name />
   <prematch>^%\w+-\d-\w+: </prematch>
 </decoder>
-  
-  
+
+
 <!-- Cisco IOS
   - Will extract the action, srcip, srcport, dstip and dstport
   - Samples:
@@ -1740,7 +2375,7 @@
 </decoder>
 
 
-<!-- Cisco IOS IDS/IPS module 
+<!-- Cisco IOS IDS/IPS module
   - Will extract the id, srcip, srcport, dstip and dstport
   - Sep  1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:51654 -> 10.10.10.10:4444]
   - Sep  1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:60797 -> 10.10.10.10:80]
@@ -1790,7 +2425,7 @@
   - logger :
   -         -t <tag> prepends "tag: " to log entry
   -        the tag here must match "program name" in the decoder
-  -            
+  -
   - Examples:
   -
   - Checkpoint: 21Aug2007 12:00:00 accept 10.10.10.2 >eth0 rule: 100; rule_uid:
@@ -1807,12 +2442,12 @@ service: 138; s_port: 138;
 dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 &
 FireWall-1;
   -
-  - Checkpoint:  3Apr2008 15:02:15 monitor 10.10.10.3 >eth2 Attack Info: Line 
-in HTTP request too long; attack: Malformed HTTP; src: 10.10.10.4; dst: 
+  - Checkpoint:  3Apr2008 15:02:15 monitor 10.10.10.3 >eth2 Attack Info: Line
+in HTTP request too long; attack: Malformed HTTP; src: 10.10.10.4; dst:
 10.10.10.5; proto: tcp; product: SmartDefense; service: 111; s_port: 222;
   -->
 
-<!-- \s+\S+ \d\d:\d\d:\d\d (\w+) \d+.\d+.\d+.\d+ \p\S+ rule: -->
+<!-- \s+\S+ \d\d:\d\d:\d\d (\w+) \S+ \p\S+ rule: -->
 <decoder name="checkpoint-syslog">
   <program_name>^Checkpoint</program_name>
   <prematch>^\s+\S+ \d\d:\d\d:\d\d </prematch>
@@ -1823,9 +2458,9 @@ in HTTP request too long; attack: Malformed HTTP; src: 10.10.10.4; dst:
   <type>firewall</type>
   <prematch offset="after_parent">^drop|^accept|^reject</prematch>
   <regex offset="after_parent">^(\w+)\s+\S+ \p\S+ rule:\.+</regex>
-  <regex>src: (\d+.\d+.\d+.\d+); dst: (\d+.\d+.\d+.\d+); proto: (\S+);</regex>
+  <regex>src: (\S+); dst: (\S+); proto: (\S+);</regex>
   <order>action,srcip,dstip,protocol</order>
-</decoder>  
+</decoder>
 
 <decoder name="checkpoint-syslog-fw">
   <parent>checkpoint-syslog</parent>
@@ -1833,13 +2468,13 @@ in HTTP request too long; attack: Malformed HTTP; src: 10.10.10.4; dst:
   <regex offset="after_regex">service: (\d+); s_port: (\d+);</regex>
   <order>dstport,srcport</order>
 </decoder>
-            
+
 <decoder name="checkpoint-syslog-ids">
   <parent>checkpoint-syslog</parent>
   <type>ids</type>
   <prematch offset="after_parent">^monitor|^drop</prematch>
   <regex offset="after_prematch">attack: (\.+); </regex>
-  <regex>src: (\d+.\d+.\d+.\d+); dst: (\d+.\d+.\d+.\d+); </regex>
+  <regex>src: (\S+); dst: (\S+); </regex>
   <regex>proto: (\S+);</regex>
   <order>extra_data, srcip, dstip, protocol</order>
   <fts>name, extra_data, srcip, dstip</fts>
@@ -1851,7 +2486,7 @@ in HTTP request too long; attack: Malformed HTTP; src: 10.10.10.4; dst:
 <!-- Microsoft Windows 2003 ipv4, 2008 ipv4/ipv6 DHCP decoder for OSSEC
   -  Author: phishphreek@gmail.com
   -->
-  
+
 <!--
   -  Server 2008 DHCP IPv4 Decoder (must go first)
   -  ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name, TransactionID, QResult,Probationtime, CorrelationID.
@@ -1860,16 +2495,16 @@ in HTTP request too long; attack: Malformed HTTP; src: 10.10.10.4; dst:
 -->
 
 <decoder name="ms-dhcp-ipv4">
-  <prematch>^\d\d,\d+/\d+/\d\d\d\d,\d+:\d+:\d+,</prematch>
-  <regex>^(\d\d),</regex>
-  <order>id</order>
+  <prematch>^\d\d,\d+/\d+/\d\d\d\d,\d+:\d+:\d+,|</prematch>
+  <prematch>^\d\d,\d+/\d+/\d\d,\d+:\d+:\d+,</prematch>
+  <regex>^(\d\d),\d+/\d+/\d\d\d*,\d+:\d+:\d+,(\w+),(\S+)</regex>
+  <order>id,extra_data,srcip</order>
 </decoder>
 
 <!--
   -  Server 2008 DHCP IPv6 Decoder (must go second)
   -  ID,Date,Time,Description,IPV6 Address,Host Name,Error Code, Duid Length, Duid Bytes(Hex),User Name.
 -->
-11020,05/05/09,00:00:38,DHCPV6
 <decoder name="ms-dhcp-ipv6">
   <prematch>^\d\d\d\d\d,\d\d/\d\d/\d\d,\d\d:\d\d:\d\d,</prematch>
   <regex>^(\d\d\d\d\d),</regex>
@@ -1877,5 +2512,860 @@ in HTTP request too long; attack: Malformed HTTP; src: 10.10.10.4; dst:
 </decoder>
 
 
+<!-- OpenBSD kernel messages -->
+<decoder name="bsd_kernel">
+  <program_name>^/bsd</program_name>
+</decoder>
+
+<decoder name="bsd_arp">
+  <parent>bsd_kernel</parent>
+  <prematch offset="after_parent">^arp </prematch>
+  <regex offset="after_prematch"> for (\S+) by (\S+) on \S+</regex>
+  <order>dstip, extra_data</order>
+</decoder>
+
+<!-- OpenBSD deluser
+  -  2014-02-21T10:22:55.134355-05:00 arrakis userdel[23023]: user removed: name=dac
+-->
+
+<decoder name="open-userdel">
+  <program_name>userdel</program_name>
+  <regex>user removed: name=(\S+)$</regex>
+  <order>srcuser</order>
+</decoder>
+
+
+
+<!-- OpenBSD mountd decoder
+- Apr 11 20:01:02 ix mountd[11618]: Refused mount RPC from host 192.168.17.10 port 45659
+-->
+
+<decoder name="mountd">
+  <program_name>^mountd</program_name>
+</decoder>
+
+<decoder name="mountd-host">
+  <parent>mountd</parent>
+  <prematch>from host </prematch>
+  <regex offset="after_prematch">(\S+) port \d+$</regex>
+  <order>srcip</order>
+</decoder>
+
+
+<!-- nss ldap decoders
+- Jun 26 08:19:25 servername sh: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
+- Aug 16 10:58:12 client nscd: nss_ldap: failed to bind to LDAP server ldap://ldap.example.com: Can't contact LDAP server
+-->
+<!--
+<decoder name="nss-ldap">
+  <program_name>^sh$|^nscd$</program_name>
+  <prematch>^nss_ldap</prematch>
+</decoder>
+
+<decoder name="ldap-server">
+  <parent>nss-ldap</parent>
+  <prematch> server </prematch>
+  <regex offset="after_prematch">ldap://(\S+):</regex>
+  <order>system_name</order>
+</decoder>
+-->
+
+
+
+<!-- OpenBSD groupdel
+  - May 28 09:15:43 ix groupdel[25984]: group deleted: name=_dbus
+-->
+<decoder name="groupdel">
+  <program_name>groupdel</program_name>
+  <regex>^group deleted: name=(\S+)$</regex>
+  <order>extra_data</order>
+</decoder>
+
+
+<!-- Portsentry -->
+<decoder name="portsentry">
+  <program_name>^portsentry</program_name>
+</decoder>
+
+<decoder name="portsentry-attackalert">
+  <parent>portsentry</parent>
+  <prematch>attackalert: Connect from host: </prematch>
+  <regex offset="after_prematch">(\S+)/\S+ to (\S+) port: (\d+)$</regex>
+  <order>srcip,protocol,dstport</order>
+</decoder>
+
+<decoder name="portsentry-blocked">
+  <parent>portsentry</parent>
+  <prematch>is already blocked. Ignoring$</prematch>
+  <regex>Host: (\S+) is</regex>
+  <order>srcip</order>
+</decoder>
+
+
+<!-- Clamav and Freshclam decoder
+  -  Nov  5 22:59:19 ix freshclam[32349]: Incremental update failed, trying to download daily.cvd
+-->
+<decoder name="clamd">
+  <program_name>^clamd</program_name>
+</decoder>
+
+<decoder name="freshclam">
+  <program_name>^freshclam</program_name>
+</decoder>
+
+
+<!-- OpenLDAP decoder.
+  - Jan 11 09:26:57 hostname slapd[20872]: conn=999999 fd=64 ACCEPT from IP=10.10.248.27:33957 (IP=10.10.241.77:389)
+  - Jan 11 09:26:57 hostname slapd[20872]: conn=999999 op=0 BIND dn="uid=example,ou=People,dc=example,dc=com" method=128
+  - Jan 11 09:26:57 hostname slapd[20872]: conn=999999 op=0 RESULT tag=97 err=49 text=
+        ^- Login Failed
+  - Jan 11 09:26:57 hostname slapd[20872]: conn=999999 op=1 BIND dn="uid=example,ou=People,dc=example,dc=com" method=128
+        ^- Login Retried
+  - Jan 11 09:26:57 hostname slapd[20872]: conn=999999 op=1 RESULT tag=97 err=0 text=
+        ^- Login Successful
+  - Jan 11 09:26:57 hostname slapd[20872]: conn=999999 op=2 UNBIND
+  - Jan 11 09:26:57 hostname slapd[20872]: conn=999999 fd=64
+        ^- Connection closed
+
+  -->
+<decoder name="openldap">
+    <program_name>^slapd</program_name>
+    <accumulate/>
+</decoder>
+
+<decoder name="openldap-connect">
+    <parent>openldap</parent>
+    <prematch>ACCEPT</prematch>
+    <regex>^conn=(\d+) fd=\d+ ACCEPT from IP=(\S+):</regex>
+    <order>id, srcip</order>
+    <accumulate/>
+</decoder>
+
+<decoder name="openldap-bind">
+    <parent>openldap</parent>
+    <prematch>BIND </prematch>
+    <regex>^conn=(\d+) op=\d+ BIND dn="\w+=(\w+),</regex>
+    <order>id, dstuser</order>
+    <accumulate/>
+</decoder>
+
+<decoder name="openldap-result">
+    <accumulate/>
+    <parent>openldap</parent>
+    <prematch> RESULT </prematch>
+    <regex>^conn=(\d+) op=\d+ RESULT </regex>
+    <order>id</order>
+</decoder>
+
+<!-- NTP decoder
+  - gorilla ntpd[27379]: bad sensor nmea0
+  - tiny ntpd[25875]: bad peer 192.168.1.233 (192.168.1.233)
+  - gorilla ntpd[29719]: bind on 192.168.1.233 failed, skipping: Can't assign requested address
+  - ix ntpd[8392]: bind on 192.168.17.9 failed, skipping: Address already in use
+  - ix ntpd[11685]: bad peer from pool pool.ntp.org (64.73.32.135)
+  - richese ntpd[3465]: bad peer ix (192.168.17.9)
+  - ix ntpd[11685]: bad peer from pool pool.ntp.org (69.50.219.51)
+  - ix ntpd[7045]: recvmsg 192.168.17.17: Connection refused
+  - ix ntpd[29411]: 2 out of 3 peers valid
+  - bridge ntpd[5877]: logconfig: illegal argument  - ignored
+  - bridge ntpd[5902]: offset 0.000000 sec freq 0.000 ppm error 0.000011 poll 6
+-->
+<decoder name="ntpd">
+  <program_name>^ntpd</program_name>
+</decoder>
+
+<decoder name="ntpd-bad-peer">
+  <parent>ntpd</parent>
+  <prematch offset="after_parent">^bad peer </prematch>
+  <regex>^bad peer \S+ \p(\S+)\p$|^bad peer from pool \S+ \p(\S+)\p$</regex>
+  <order>srcip</order>
+</decoder>
+
+
+<!-- Auditd
+163
+164   - Will extract action, id, status, extra_data, srcip
+165   - Author and (c): Michael Starks, 2011
+166   - Future enhancements should ensure that all log samples regress properly due to the complexity of these decoders
+167   - Examples:
+
+<!-- CentOS 5.5 -->
+type=USER_ACCT msg=audit(1310592861.936:1222): user pid=24675 uid=0 auid=501 ses=188 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting acct="username" exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/5 res=success)'
+type=CRED_ACQ msg=audit(1305666154.831:51859): user pid=21250 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: setcred acct="username" : exe="/usr/sbin/sshd" (hostname=lala.example.com, addr=172.16.0.1, terminal=ssh res=success)'
+type=CRED_ACQ msg=audit(1273182001.226:148635): user pid=29770 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron
+type=USER_AUTH msg=audit(1305666163.690:51871): user pid=21269 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: authentication acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)'
+type=USER_ACCT msg=audit(1306939201.750:67934): user pid=4401 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+type=CRED_ACQ msg=audit(1306939201.751:67935): user pid=4401 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+type=USER_START msg=audit(1306939201.756:67937): user pid=4401 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+type=USER_CHAUTHTOK msg=audit(1304523288.952:37394): user pid=7258 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='op=change password id=505 exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/1 res=success)'
+
+<!-- Unknown source -->
+type=USER_ACCT msg=audit(1310592861.936:1222): user pid=24675 uid=0 auid=501 ses=188 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting acct="username" exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/5 res=success)'
+
+<!-- Ubuntu 10.04 LTS -->
+type=SYSCALL msg=audit(1307045440.943:148): arch=c000003e syscall=59 success=yes exit=0 a0=de1fa8 a1=de23a8 a2=dc3008 a3=7fff1db3cc60 items=2 ppid=11719 pid=12140 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="wget" exe="/tmp/wget" key="webserver-watch-tmp"
+type=SYSCALL msg=audit(1307045820.403:151): arch=c000003e syscall=59 success=no exit=-13 a0=de24c8 a1=de2408 a2=dc3008 a3=7fff1db3cc60 items=1 ppid=11719 pid=12347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="bash" exe="/bin/bash" key=(null)
+type=SYSCALL msg=audit(1306939143.715:67933): arch=40000003 syscall=94 success=yes exit=0 a0=5 a1=180 a2=8ebd360 a3=8ec4978 items=1 ppid=4383 pid=4388 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8038 comm="less" exe="/usr/bin/less" subj=user_u:system_r:unconfined_t:s0 key="perm_mod"
+type=USER_ROLE_CHANGE msg=audit(1280266360.845:51): user pid=1978 uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=user_u:system_r:unconfined_t:s0 selected-context=user_u:system_r:unconfined_t:s0: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'
+type=PATH msg=audit(1306967989.163:119): item=0 name="./ls" inode=261813 dev=fb:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
+
+<!-- Will not decode due to null name, that's OK -->
+type=PATH msg=audit(1273924468.947:179534): item=0 name=(null) inode=424783 dev=fd:07 mode=0100640 ouid=0 ogid=502 rdev=00:00 obj=user_u:object_r:file_t:s0
+
+-->
+
+<decoder name="auditd">
+  <prematch>^type=</prematch>
+</decoder>
+
+<!-- SELinux -->
+<decoder name="auditd-selinux">
+  <parent>auditd</parent>
+  <prematch offset="after_parent">^AVC </prematch>
+  <regex offset="after_parent">^(AVC) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): avc:  (\S+)  { \.+ } for  pid=\d+ comm="(\S+)" path="\S+" dev=\S+ ino=\d+ scontext=\S+ tcontext=\S+ tclass=\S+$</regex>
+  <order>action,id,status,extra_data</order>
+</decoder>
+
+<!-- syscall -->
+<decoder name="auditd-syscall">
+  <parent>auditd</parent>
+  <prematch offset="after_parent">^SYSCALL </prematch>
+  <regex offset="after_parent">^(SYSCALL) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+ success=(\S+) exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+ pid=\d+ auid=\d+ uid=\d+ gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+ sgid=\d+ fsgid=\d+ tty=\S+ ses=\d+ comm="\S+" exe="(\.+)"</regex>
+  <order>action,id,status,extra_data</order>
+</decoder>
+
+<!-- config -->
+<decoder name="auditd-config">
+  <parent>auditd</parent>
+  <prematch offset="after_parent">^CONFIG_CHANGE </prematch>
+  <regex offset="after_parent">^(CONFIG_CHANGE) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): auid=\d+ ses=\d+ op="\.+" path="(\.+)" key="\S+" list=\d+ res=\d+$</regex>
+  <order>action,id,extra_data</order>
+</decoder>
+
+<!-- path (will only decode if name is not null)-->
+<decoder name="auditd-path">
+  <parent>auditd</parent>
+  <prematch offset="after_parent">^PATH </prematch>
+  <regex offset="after_parent">^(PATH) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): item=\d+ name="(\.+)" inode=\d+ dev=\S+ mode=\d+ ouid=\d+ ogid=\d+ rdev=\S+</regex>
+  <order>action,id,extra_data</order>
+</decoder>
+
+<!-- user-related -->
+<decoder name="auditd-user">
+  <parent>auditd</parent>
+  <regex offset="after_parent">^(USER_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+|</regex>
+  <regex>^(CRED_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+</regex>
+  <order>action,id</order>
+</decoder>
+
+<decoder name="auditd-user">
+  <parent>auditd</parent>
+  <regex offset="after_regex"> acct="(\.+)" : exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+$</regex>
+  <order>user,extra_data,srcip</order>
+</decoder>
+
+<decoder name="auditd-user">
+  <parent>auditd</parent>
+  <regex offset="after_regex"> ses=\d+ subj=\S+ msg='\.+ acct="(\.+)" exe="(\.+)" hostname=\S+ addr=(\S+) terminal=\S+ res=(\S+)$</regex>
+  <order>user,extra_data,srcip,status</order>
+</decoder>
+
+<decoder name="auditd-user">
+  <parent>auditd</parent>
+  <regex offset="after_regex"> subj=\S+ msg='\.+ acct="(\.+)" \p*\s*exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$</regex>
+  <order>user,extra_data,srcip,status</order>
+</decoder>
+
+<decoder name="auditd-user">
+  <parent>auditd</parent>
+  <regex offset="after_regex"> subj=\S+ msg='\.+ exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$</regex>
+  <order>extra_data,srcip,status</order>
+</decoder>
+
+<!--
+mptscsih \ mptbase decoder
+
+Description: module for SCSI controllers.
+
+Examples:
+[ 5008.286061] mptscsih: ioc0: task abort: FAILED (rv=2003) (sc=ffff88007a8a9f00)
+
+[ 6498.769248] mptbase: ioc0: RAID STATUS CHANGE for PhysDisk 1 id=8
+[ 6498.769252] mptbase: ioc0:   PhysDisk is now failed, out of sync
+
+[ 6498.775783] mptbase: ioc0: RAID STATUS CHANGE for VolumeID 0
+[ 6498.775788] mptbase: ioc0:   volume is now degraded, enabled
+-->
+<decoder name="mptscsih-1">
+  <parent>iptables</parent>
+  <prematch>^[\s\d+.\d+] mptscsih: </prematch>
+  <regex>^[\s\d+.\d+] (\w+): (\w+): task abort: (\w+)</regex>
+  <order>id,data,status</order>
+</decoder>
+
+<decoder name="mptbase-1">
+  <parent>iptables</parent>
+  <prematch>^[\s\d+.\d+] mptbase: </prematch>
+  <regex>^[\s\d+.\d+] (\w+): (\w+):\s+\w+ is now (\w+)\p\s(\D+)$</regex>
+  <order>id,data,action,status</order>
+</decoder>
+
+<!-- Grandstream HT502 VoIP gateway decoder
+Author and (c): Michael Starks, 2014 -->
+
+<!-- HT502: [00:0B:82:14:5B:94] Transport error (-1) for transaction 2677 -->
+
+<decoder name="grandstream-ata">
+ <prematch>^HT286: [\w\w:\w\w:\w\w:\w\w:\w\w:\w\w]\p*\.+\p* |</prematch>
+ <prematch>^HT502: [\w\w:\w\w:\w\w:\w\w:\w\w:\w\w]\p*\.+\p* |</prematch>
+ <prematch>^HT503: [\w\w:\w\w:\w\w:\w\w:\w\w:\w\w]\p*\.+\p* </prematch>
+</decoder>
+
+<decoder name="grandstream-registration">
+ <parent>grandstream-ata</parent>
+ <prematch>Received </prematch>
+ <regex offset="after_prematch">^(\d+) response for transaction (\d+)\((\w+)\)$</regex>
+ <order>status, id, action</order>
+</decoder>
+
+<decoder name="grandstream-fts-registered">
+ <parent>grandstream-ata</parent>
+ <prematch>Account </prematch>
+ <regex offset="after_prematch">^(\d+) (registered), tried \d+; Next registration in \d+ seconds \(\d+/\d+\) on (\.+)$</regex>
+ <order>id, status, extra_data</order>
+ <fts>name, location, extra_data</fts>
+</decoder>
+
+<decoder name="grandstream-incoming-cid">
+ <parent>grandstream-ata</parent>
+ <prematch>Vinetic::</prematch>
+ <regex offset="after_prematch">^(startRing) with CID, Attempting to deliver CID (\d+) on port \d+$</regex>
+ <order>action, id</order>
+</decoder>
+
+<decoder name="grandstream-outgoing-call">
+ <parent>grandstream-ata</parent>
+ <regex offset="after_parent">^(Dialing) (\d+)$</regex>
+ <order>action, id</order>
+</decoder>
+
+
+<!-- apparmor
+  - Jun 24 10:35:29 hostname kernel: [49787.970285] audit: type=1400 audit(1403598929.839:88986): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/dovecot//null-1//null-2//null-4a6" name="/home/admin/mails/new/" pid=19973 comm="imap" requested_mask="r" denied_mask="r" fsuid=1003 ouid=1003
+  - Jul 14 11:03:47 hostname kernel: [ 8665.951930] type=1400 audit(1405328627.702:54): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/etc/xfce4/defaults.list" pid=16418 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
+  - Jun 16 17:37:39 hostname kernel: [891880.587623] audit: type=1400 audit(1402933059.038:1681857): apparmor="ALLOWED" operation="exec" profile="/usr/sbin/dovecot//null-1fde//null-1fdf" name="/usr/lib/dovecot/pop3-login" pid=13903 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/dovecot//null-1fde//null-1fdf//null-6b18"
+  - Jun 16 17:37:39 hostname kernel: [891880.587957] audit: type=1400 audit(1402933059.038:1681858): apparmor="ALLOWED" operation="open" profile="/usr/sbin/dovecot//null-1fde//null-1fdf//null-6b18" name="/usr/lib/dovecot/libdovecot-login.so.0.0.0" pid=13903 comm="pop3-login" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
+  - Jun 16 17:37:39 hostname kernel: [891880.587976] audit: type=1400 audit(1402933059.038:1681859): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/dovecot//null-1fde//null-1fdf//null-6b18" name="/usr/lib/dovecot/libdovecot-login.so.0.0.0" pid=13903 comm="pop3-login" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
+  - Jun 16 17:37:39 hostname kernel: [891880.587989] audit: type=1400 audit(1402933059.038:1681860): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/dovecot//null-1fde//null-1fdf//null-6b18" name="/usr/lib/dovecot/libdovecot-login.so.0.0.0" pid=13903 comm="pop3-login" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0
+  - Jun 23 20:46:15 hostname kernel: [   11.103248] audit: type=1400 audit(1403549175.177:2): apparmor="STATUS" operation="profile_load" name="/sbin/klogd" pid=2185 comm="apparmor_parser"
+  - Jun 16 17:37:39 hostname kernel: [891880.587989] audit: type=1400 audit(1314853822.672:33649): apparmor="DENIED" operation="mknod" parent=27250 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/share/wordpress/1114140474e5f13bea68a4.tmp" pid=27289 comm="apache2" requested_mask="c" denied_mask="c" fsuid=33 ouid=33
+  - Jun 16 17:37:39 hostname kernel: [891880.587989] audit: type=1400 audit(1315353795.331:33657): apparmor="DENIED" operation="exec" parent=14952 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/lib/sm.bin/sendmail" pid=14953 comm="sh" requested_mask="x" denied_mask="x" fsuid=33 ouid=0
+-->
+
+<decoder name="apparmor">
+  <parent>iptables</parent>
+  <prematch> apparmor=</prematch>
+  <regex> apparmor="(\S+)" operation="(\S+)"</regex>
+  <order>status, extra_data</order>
+</decoder>
+
+<!-- unix_chkpwd
+  - Jul 21 07:40:29 localhost unix_chkpwd[15804]: password check failed for user (username)
+-->
+<decoder name="unix_chkpwd">
+  <program_name>^unix_chkpwd</program_name>
+</decoder>
+
+<!--Jul 21 07:40:29 localhost unix_chkpwd[15804]: password check failed for user (username)-->
+<decoder name="chkpwd-user">
+  <parent>unix_chkpwd</parent>
+  <regex offset="after_parent">user \((\w+)\)$</regex>
+  <order>srcuser</order>
+</decoder>
+
+<!-- Barracuda S&VF Email Logs
+Examples:
+May 14 03:31:21 mx1.example.org inbound/pass1: mail-88-66.reachmail.net[216.55.88.66] 1400074281-06f4a338c037a90001-TkCAQV 1400074281 1400074283 RECV errors@mail-88-68.reachmail.net eteixeira@example.net 2 12 -
+May 15 14:09:17 mx1.example.org inbound/pass1: host.limitless-servers.com[192.208.186.41] 1400198954-06f4a338c062640001-BkZagu 1400198954 1400198958 SCAN - heartattackbreakthrough@ridchanceofhrtattk.us en@example.org - 2 74 ridchanceofhrtattk.us SZ:2557 SUBJ:THE #1 Trick to Prevent Heart-Attacks Revealed???
+May 16 10:12:29 mx1.example.org inbound/pass1: kumarafoundation.hestoe.com[208.123.118.114] 1400271149-06f4a338c07a210001-QwTJwG 1400271149 1400271151 SCAN - EzekielMack@kumarafoundation.hestoe.com ctakesue@example.org - 2 74 hestoe.com SZ:1917 SUBJ:Bad Economy, Bad Rates - Get An Auto Insurance Quotes Today
+May 13 01:20:44 mx1.example.org scan: salmon.emxp002.net[174.123.35.182] 1399980039-06f4a338c019db0001-ZAPlzU 1399980040 1399980045 SCAN - errors@mermaid.emxp002.net PTAUA@HINGYCA.ORG 1.636 0 0 - SZ:86808 SUBJ:ATTN PASILA: URGENT FUNDING AVAILABLE
+May 14 09:39:30 mx1.example.org scan: mc.eau.lormaneducation.com[64.198.99.4] 1400096370-06f4a338c040390001-vQoliC 1400096370 1400096372 SCAN - bounce-201405143661297864@mc.eau.lormaneducation.com tmoriyasu@dod.hawaii.gov 0.401 0 0 - SZ:22001 SUBJ:Contractor's Dilemma of Dealing With Bad Plans and Specs - OnDemand Webinar
+May 16 10:56:04 mx1.example.org scan: smtp133.elabs13.com[74.116.235.133] 1400273757-06f4a338c07b490001-CBNzJg 1400273757 1400273765 SCAN - newsletter@email.cnbc.com tcolwell@example.net 0.402 0 0 - SZ:26609 SUBJ:=?utf-8?Q?"Failure=20to=20Recall:=20Investigating=20GM"=20Premier?==?utf-8?Q?es=20Sunday=2010p=20ET/PT?=
+Jul 26 10:39:36 mx1.example.org outbound/smtp: 127.0.0.1 1406407176-06f4a35b4d10f2c0001-EGYtgK 0 0 SEND - 3 A90EBA1F1BA connect to dnvrco-pub-iedge-vip.email.rr.com[107.14.73.70]: server refused mail service
+Jul 26 13:38:16 mx1.example.org outbound/smtp: 127.0.0.1 1406248798-06f4a35b4de6bd0001-3QeedR 0 0 SEND - 3 68EC0A1F1A3 Name service error for name=conference.preventchildabusetexas.org type=MX: Host not found, try again
+Jul 26 13:57:56 mx1.example.org outbound/smtp: 127.0.0.1 1406297159-06f4a35b4df2000001-PDxQZ2 0 0 SEND - 3 A194BA1F1AC connect to qw.eau.lormanwebinars.com[63.232.201.60]: Connection refused
+-->
+
+<decoder name="barracuda-svf-email">
+  <program_name>^inbound/pass|^scan|^outbound/smtp</program_name>
+</decoder>
+
+<decoder name="barracuda-svf1">
+  <parent>barracuda-svf-email</parent>
+  <prematch>^\S+[\S+]|</prematch>
+  <prematch>^\S+</prematch>
+  <regex>^\S+[(\S+)] (\d+-\w+-\w+) \d+ \d+ |</regex>
+  <regex>^(\S+) (\d+-\w+-\w+) \d+ \d+ </regex>
+  <order>srcip, id</order>
+</decoder>
+
+<!-- Info section - SCAN -->
+<decoder name="barracuda-svf1">
+  <parent>barracuda-svf-email</parent>
+  <regex offset="after_regex">(SCAN) (\S+ \S+ \S+ \S+ \d+ \d+ \.+ SUBJ:\.+)$</regex>
+  <order>action, extra_data</order>
+</decoder>
+
+<!-- Info section RECV -->
+<decoder name="barracuda-svf1">
+  <parent>barracuda-svf-email</parent>
+  <regex offset="after_regex">(RECV) (\S+ \S+ \d+ \d+ \.+)$</regex>
+  <order>action, extra_data</order>
+</decoder>
+
+<!-- Info section SEND -->
+<decoder name="barracuda-svf1">
+  <parent>barracuda-svf-email</parent>
+  <regex offset="after_regex">(SEND) (\S+ \d+ \S+ \.+)$</regex>
+  <order>action, extra_data</order>
+</decoder>
+
+<!-- Barracuda S&VF Administration-->
+
+<decoder name="barracuda-svf-admin">
+  <program_name>^web</program_name>
+</decoder>
+
+<decoder name="barracuda-svf-admin-change">
+  <parent>barracuda-svf-admin</parent>
+  <prematch>^[\S+] global[] CHANGE</prematch>
+  <regex offset="after_parent">^[(\S+)] global[] (CHANGE) (\S+ \(\S*)\)$</regex>
+  <order>srcip,action,extra_data</order>
+</decoder>
+
+<decoder name="barracuda-svf-admin-auth">
+  <parent>barracuda-svf-admin</parent>
+  <prematch>^[\S+] LOGIN|</prematch>
+  <prematch>^[\S+] FAILED_LOGIN|</prematch>
+  <prematch>^[\S+] LOGOUT</prematch>
+  <regex offset="after_parent">^[(\S+)] (\S+) \((\S+)\)\p*$</regex>
+  <order>srcip,action,user</order>
+</decoder>
+
+
+<!-- 
+  - Decoder for Sysmon Event ID 1: Process Created
+  - Maintained by Josh Brower, Josh@DefensiveDepth.com 
+  -
+  -  OSSEC to Sysmon Fields Mapping:
+  -  user = User
+  -  status = Image
+  -  url = Hash
+  -  extra_data = ParentImage
+  
+  - Examples:
+  - 2014 Dec 20 14:29:48 (HME-TEST-01) 10.0.15.14->WinEvtLog 2014 Dec 20 09:29:47 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-U93G48C7BOP: Process Create:  UtcTime: 12/20/2014 2:29 PM  ProcessGuid: {00000000-87DB-5495-0000-001045F25A00}  ProcessId: 3048  Image: C:\Windows\system32\svchost.exe  CommandLine: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Administrator\Desktop\ossec.log  User: WIN-U93G48C7BOP\Administrator  LogonGuid: {00000000-84B8-5494-0000-0020CB330200}  LogonId: 0x233CB  TerminalSessionId: 1  IntegrityLevel: High  HashType: SHA1  Hash: 9FEF303BEDF8430403915951564E0D9888F6F365  ParentProcessGuid: {00000000-84B9-5494-0000-0010BE4A0200}  ParentProcessId: 848  ParentImage: C:\Windows\Explorer.EXE  ParentCommandLine: C:\Windows\Explorer.EXE 
+-->
+
+<decoder name="Sysmon-EventID#1">
+<type>windows</type>
+<prematch>INFORMATION\(1\)</prematch>
+<regex offset="after_prematch">Image: (\.*) \s*CommandLine: \.* \s*User: (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*) \s*ParentCommandLine:</regex>
+<order>status,user,url,data</order>
+</decoder>
+
+<!-- Squid access log decoder.
+  - Will extract the srcip.
+  - Author: Ahmet Ozturk
+  - Examples:
+  - 1140701044.525   1231 192.168.1.201 TCP_DENIED/400 1536
+    GET ahmet - NONE/- text/html
+  - 1140701230.827    781 192.168.1.210 TCP_DENIED/407 1785
+    GET http://www.ossec.net oahmet NONE/- text/html
+  -->
+<decoder name="squid-accesslog">
+  <type>squid</type>
+  <prematch>^\d+ \S+ </prematch>
+  <regex>^\d+ (\S+) (\w+)/(\d+) \d+ \w+ (\S+) </regex>
+  <order>srcip,action,id,url</order>
+</decoder>
+
+<!-- unbound
+  - 2014-05-20T09:01:07.283219-04:00 arrakis unbound: [9405:0] notice: sendto failed: Can't assign requested address
+  - 2014-07-14T14:00:02.814490-04:00 arrakis unbound: [2541:0] info: 127.0.0.1 talkgadget.google.com. A IN
+  - 2014-07-14T14:00:05.507848-04:00 arrakis unbound: [2541:0] info: server stats for thread 0: 3 queries, 2 answers from cache, 1 recursions, 0 prefetch
+  - 2014-07-14T14:00:05.507955-04:00 arrakis unbound: [2541:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
+  - 2014-07-14T14:00:05.508075-04:00 arrakis unbound: [2541:0] info: average recursion processing time 0.038814 sec
+  - 2014-07-14T14:00:05.508166-04:00 arrakis unbound: [2541:0] info: histogram of recursion processing times
+  - 2014-07-14T14:00:05.508248-04:00 arrakis unbound: [2541:0] info: [25%]=0 median[50%]=0 [75%]=0
+  - 2014-07-14T14:00:05.508333-04:00 arrakis unbound: [2541:0] info: lower(secs) upper(secs) recursions
+  - 2014-07-14T14:00:05.508414-04:00 arrakis unbound: [2541:0] info:    0.032768    0.065536 1
+  - 2014-07-14T15:05:07.520229-04:00 arrakis unbound: [2541:0] info: 127.0.0.1 github.com. AAAA IN
+-->
+
+
+<decoder name="unbound">
+  <program_name>^unbound</program_name>
+</decoder>
+
+<decoder name="unbound-a">
+  <parent>unbound</parent>
+  <regex> info: (\S+) (\S+). A IN$| info: (\S+) (\S+) AAAA IN$</regex>
+  <order>srcip,url</order>
+</decoder>
+
+<!-- OpenBSD doas -->
+<decoder name="doas">
+  <program_name>^doas</program_name>
+</decoder>
+
+<decoder name="doas-user">
+  <parent>doas</parent>
+  <regex>^(\S+) ran| for (\S+):</regex>
+  <order>srcuser</order>
+</decoder>
+
+<decoder name="doas-user">
+  <parent>doas</parent>
+  <regex offset="after_parent"> as (\S+): </regex>
+  <order>dstuser</order>
+</decoder>
+
+<!-- Exim
+  - Examples:
+  - 2017-01-23 03:44:14 dovecot_login authenticator failed for (hydra) [10.101.1.18]:35686: 535 Incorrect authentication data (set_id=user)
+  - 2017-01-24 05:22:29 dovecot_plain authenticator failed for (test) [::1]:39454: 535 Incorrect authentication data (set_id=test)
+  - 2017-01-24 03:09:46 SMTP connection from [10.101.1.10]:55010 (TCP/IP connection count = 1)
+  - 2017-01-24 02:53:13 SMTP connection from (hydra) [10.101.1.10]:53682 lost
+  - 2017-01-24 05:36:23 SMTP call from (000000) [::1]:39480 dropped: too many syntax or protocol errors (last command was "123")
+-->
+
+<decoder name="exim-authfailed">
+  <parent>windows-date-format</parent>
+  <prematch offset="after_parent">authenticator failed</prematch>
+  <regex offset="after_prematch">[(\S+)]:\d+: \d+ Incorrect authentication data \(set_id=(\w+)\)</regex>
+  <order>srcip,user</order>
+</decoder>
+
+<decoder name="exim-connect">
+  <parent>windows-date-format</parent>
+  <prematch offset="after_parent">^SMTP connection from </prematch>
+  <regex offset="after_prematch">[(\S+)]:\d+ \(TCP/IP connection count</regex>
+  <order>srcip</order>
+</decoder>
+
+<decoder name="exim-disconnect">
+  <parent>windows-date-format</parent>
+  <prematch offset="after_parent">^SMTP connection from </prematch>
+  <regex offset="after_prematch">[(\S+)]:\d+ lost</regex>
+  <order>srcip</order>
+</decoder>
+
+<decoder name="exim-syntax-errors">
+  <parent>windows-date-format</parent>
+  <prematch offset="after_parent">^SMTP call from </prematch>
+  <regex offset="after_prematch">[(\S+)]:\d+ dropped: too many syntax or protocol errors</regex>
+  <order>srcip</order>
+</decoder>
+
+<!-- NSD
+   - Aug 11 13:21:46 ix nsd[16565]: server initialization failed, nsd could not be started
+   - Aug 11 13:22:14 ix nsd[13816]: blocked.hosts:2: syntax error
+   - Aug 11 13:22:14 ix nsd[13816]: blocked.hosts:2: unrecognized RR type 'name:'
+   - Aug 12 09:01:00 junction.example.com nsd[7405]: NSTATS 1439384460 1439314258 A=1 AAAA=1
+   - Aug 12 09:01:00 junction.example.com nsd[7405]: XSTATS 1439384460 1439314258 RR=0 RNXD=0 RFwdR=0 RDupR=0 RFail=0 RFErr=0 RErr=0 RAXFR=0 RLame=0 ROpts=0 SSysQ=0 SAn
+s=2 SFwdQ=0 SDupQ=0 SErr=0 RQ=2 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=0 SFwdR=0 SFail=0 SFErr=0 SNaAns=0 SNXD=0 RUQ=0 RURQ=0 RUXFR=0 RUUpd=0
+   - Dec 16 12:51:17 pine nsd[90235]: xfrd: zone example.com received error code NOT IMPL from 192.168.17.9@153
+-->
+
+<decoder name="nsd">
+  <program_name>^nsd</program_name>
+</decoder>
+
+<decoder name="nsd-from">
+  <parent>nsd</parent>
+  <regex> from (\S+)@| from (\S+)</regex>
+  <order>srcip</order>
+</decoder>
+
+<!-- ownCloud
+   - Examples owncloud.log (Note that the syntax of failed login logs differs between oler and newer ownCloud versions):
+   - {"reqId":"Jrd4fkwIcXhVjtP8qODR","level":2,"time":"2017-09-20T15:44:23+02:00","remoteAddr":"127.0.0.1","user":"--","app":"core","method":"POST","url":"\/login","message":"Login failed: 'admin' (Remote IP: '127.0.0.1')"}
+   - {"reqId":"wlioIFa6pOvt6DIAoeHE","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1')","level":2,"time":"2016-04-12T22:28:20+02:00","method":"POST","url":"\/","user":"--"}
+   - {"reqId":"prLlx9+QIfl1jHtz9C5o","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1')","level":2,"time":"2015-07-08T12:12:41+02:00"}
+   - {"reqId":"wLP7a3MdzTo8wgCWret9","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1')","level":2,"time":"2015-07-15T09:40:35+02:00","method":"POST","url":"\/"}
+   - {"reqId":"prLlx9+QIfl1jHtz9C5o","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1)","level":2,"time":"2015-07-08T12:12:41+02:00"}
+   - {"reqId":"wLP7a3MdzTo8wgCWret9","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1)","level":2,"time":"2015-07-15T09:40:35+02:00","method":"POST","url":"\/"}
+   - {"reqId":"f7906a8355f496e3a1947d7839c4a2c3","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:17:43+00:00"}
+   - {"reqId":"9f8edc5558b2b4f8628663d83a092a7f","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:19:02   - +00:00","method":"POST","url":"\/cloud\/index.php"}
+   - {"app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:16:29+00:00"}
+   - {"reqId":"5576a04643d8e","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:13:58+00:00","method":"POST","url":"\/owncloud\/index.php"}
+   - {"app":"core","message":"Login failed: user 'admin' , wrong password, IP:127.0.0.1","level":2,"time":"2015-06-09T08:10:29+00:00"}
+   - {"reqId":"55769fcacd1e0","app":"core","message":"Login failed: user 'admin' , wrong password, IP:127.0.0.1","level":2,"time":"2015-06-09T08:11:54+00:00","method":"POST","url":"\/owncloud\/index.php"}
+   - {"reqId":"BaW6nfA5rHBoihjDtQVm","remoteAddr":"127.0.0.1","app":"core-preview","message":"Passed filename is not valid, might be malicious (file:\"test\";ip:\"127.0.0.1\")","level":2,"time":"2017-09-01T22:11:25+02:00","method":"POST","url":"\/login","user":"--"}
+   - {"reqId":"4ETnKW0UyDBNmL4z\/umV","remoteAddr":"127.0.0.1","app":"PHP","message":"Redis::connect(): connect() failed: No such file or directory at \/var\/www\/owncloud\/lib\/private\/RedisFactory.php#60","level":3,"time":"2017-08-21T16:00:34+02:00","method":"PROPFIND","url":"\/remote.php\/dav\/addressbooks\/users\/admin\/example\/","user":"admin"}
+   - {"reqId":"4j2DKpvOh0OezXVwfuLO","remoteAddr":"127.0.0.1","app":"PHP","message":"fopen(\/var\/www\/owncloud\/data\/user 1\/thumbnails\/1234\/32-32.png): failed to open stream: No such file or directory at \/var\/www\/owncloud\/lib\/private\/Files\/Storage\/Local.php#278","level":3,"time":"2017-07-15T23:59:20+02:00","method":"GET","url":"\/core\/preview.png?file=%2Fexample.txt&c=123&x=32&y=32&forceIcon=0","user":"user 1"}
+
+   - Examples syslog:
+   - Sep  1 20:16:09 foo ownCloud[15463]: {core} Login failed: 'test' (Remote IP: '127.0.0.1')
+   - Sep  1 22:16:33 foo ownCloud[15467]: {core-preview} Passed filename is not valid, might be malicious (file:"test";ip:"127.0.0.1")
+-->
+
+<decoder name="owncloud">
+  <prematch>^{"reqId":"\S+","message":"\.+","level":\d,"time":"\.+"}$|^{"app":"\S+","message":"\.+","level":\d,"time":"\.+"}$|^{"reqId":"\S+","level":\d,"time":"\S+","message":"\.+"}$</prematch>
+</decoder>
+
+<!-- Note: This defaults to "ownCloud" but users can change the syslog tag: https://github.com/owncloud/core/blob/v10.0.2/config/config.sample.php#L608-L614 -->
+<decoder name="owncloud">
+  <program_name>^ownCloud</program_name>
+</decoder>
+
+<decoder name="owncloud-failed1">
+  <parent>owncloud</parent>
+  <prematch>Login failed: user </prematch>
+  <regex offset="after_prematch">^'(\w+)' , wrong password, IP:(\d+.\d+.\d+.\d+)</regex>
+  <order>user, srcip</order>
+</decoder>
+
+<decoder name="owncloud-failed2">
+  <parent>owncloud</parent>
+  <prematch>Login failed: </prematch>
+  <regex offset="after_prematch">^'(\w+)' \(Remote IP: '(\d+.\d+.\d+.\d+)</regex>
+  <order>user, srcip</order>
+</decoder>
+
+<decoder name="owncloud-malicious">
+  <parent>owncloud</parent>
+  <prematch>Passed filename is not valid, might be malicious </prematch>
+  <regex offset="after_prematch">;ip:"(\d+.\d+.\d+.\d+)|;ip:\\"(\d+.\d+.\d+.\d+)</regex>
+  <order>srcip</order>
+</decoder>
+
+<decoder name="owncloud-loglevel">
+  <parent>owncloud</parent>
+  <prematch>","level":</prematch>
+  <regex offset="after_prematch">^(\d),"</regex>
+  <order>status</order>
+</decoder>
+
+<!-- psad
+  - Examples: (Note: IPv6 untested)
+  - Sep  8 22:52:30 sni psad: scan detected (Nmap -sT or -sS scan): 212.83.152.232 -> 1.2.3.4 tcp: [21943] flags: SYN tcp pkts: 3 DL: 3
+  - Sep  9 08:36:30 sni psad: src: 62.210.167.199 signature match: "BACKDOOR DoomJuice file upload attempt" (sid: 2375) tcp port: 3180
+  - Sep  9 08:36:30 sni psad: scan detected (Masscan SYN scan): 62.210.167.199 -> 1.2.3.4 tcp: [3320-62210] flags: SYN tcp pkts: 10 DL: 3
+  - Sep  3 14:18:52 sni psad: scan detected ( -sU scan): 192.168.1.42 -> 239.255.255.250 udp: [1900] udp pkts: 16 DL: 3
+  - Sep  4 11:33:23 sni psad: src: 46.17.46.8 signature match: "MISC Microsoft PPTP communication attempt" (sid: 100082) tcp port: 1723
+  - Sep  4 11:33:23 sni psad: src: 46.17.46.8 signature match: "DOS iParty DOS attempt" (sid: 1605) tcp port: 6004
+  - Sep  4 11:33:23 sni psad: src: 46.17.46.8 signature match: "DOS Real Audio Server communication attempt" (sid: 100112) tcp port: 7070
+  - Sep  4 11:33:23 sni psad: src: 46.17.46.8 signature match: "BACKDOOR DoomJuice file upload attempt" (sid: 2375) tcp port: 3129
+  - Aug  9 16:46:32 dsc psad: message repeated 2 times: [ scan detected (Nmap -sT or -sS scan): 10.1.0.15 -> 192.168.1.18 tcp: [80] flags: SYN tcp pkts: 3 DL: 3]example logs: 
+-->
+
+<decoder name="psad">
+  <program_name>psad</program_name>
+</decoder>
+
+<decoder name="psad-scan">
+  <parent>psad</parent>
+  <prematch>^scan detected </prematch>
+  <regex offset="after_prematch"> (\S+) -> (\S+) \.+ DL: (\d)</regex>
+  <order>srcip,dstip,status</order>
+</decoder>
+
+<decoder name="psad-repeated">
+  <parent>psad</parent>
+  <prematch>^message repeated</prematch>
+  <regex offset="after_prematch"> (\S+) -> (\S+) \.+ DL: (\d)</regex>
+  <order>srcip,dstip,status</order>
+</decoder>
+
+<decoder name="psad-signature">
+  <parent>psad</parent>
+  <prematch>signature match: </prematch>
+  <regex offset="after_parent">src: (\S+) signature match: \.+ port: (\d+)</regex>
+  <order>srcip,dstport</order>
+</decoder>
+
+<!-- Proxmox Virtual Environment (Proxmox VE)
+   - Examples syslog:
+   - Sep 10 22:12:41 example pvedaemon[6427]: authentication failure; rhost=192.168.0.1 user=root@pam msg=Authentication failure
+   - Sep 10 22:12:49 example pvedaemon[6428]: authentication failure; rhost=192.168.0.1 user=root@pve msg=no such user ('root@pve')
+   - Sep 10 22:12:54 example pvedaemon[6428]: <root@pam> successful auth for user 'root@pam'
+   - Sep 10 22:13:44 example pvedaemon[6427]: <root@pam> starting task UPID:example:00000000:11111111:22222222:vzstart:100:root@pam:
+   - Sep 10 22:13:44 example pvedaemon[13735]: starting CT 100: UPID:example:00000000:11111111:22222222:vzstart:100:root@pam:
+   - Sep 10 22:13:46 example pvedaemon[6427]: <root@pam> end task UPID:example:00000000:11111111:22222222:vzstart:100:root@pam: OK
+   - Sep 10 22:13:47 example pvestatd[1892]: modified cpu set for lxc/100: 4
+   - Sep 10 06:25:44 example pveproxy[15342]: received signal TERM
+   - Sep 10 06:25:44 example pveproxy[15342]: server closing
+   - Sep 10 06:25:44 example pveproxy[15345]: worker exit
+   - Sep 10 06:25:44 example pveproxy[15344]: worker exit
+   - Sep 10 06:25:44 example pveproxy[15343]: worker exit
+   - Sep 10 06:25:44 example pveproxy[15342]: worker 15343 finished
+   - Sep 10 06:25:44 example pveproxy[15342]: worker 15344 finished
+   - Sep 10 06:25:44 example pveproxy[15342]: worker 15345 finished
+   - Sep 10 06:25:44 example pveproxy[15342]: server stopped
+   - Sep 10 06:25:45 example pveproxy[22375]: Using '/etc/pve/local/pveproxy-ssl.pem' as certificate for the web interface.
+   - Sep 10 06:25:45 example pveproxy[22413]: starting server
+   - Sep 10 06:25:45 example pveproxy[22413]: starting 3 worker(s)
+   - Sep 10 06:25:45 example pveproxy[22413]: worker 22414 started
+   - Sep 10 06:25:45 example pveproxy[22413]: worker 22415 started
+   - Sep 10 06:25:45 example pveproxy[22413]: worker 22416 started
+   - Sep 10 06:25:47 example pvepw-logger[15428]: received terminate request (signal)
+   - Sep 10 06:25:47 example pvepw-logger[15428]: stopping pvefw logger
+   - Sep 10 06:25:48 example pvepw-logger[22551]: starting pvefw logger
+-->
+
+<decoder name="pvedaemon">
+  <program_name>^pvedaemon</program_name>
+</decoder>
+
+<decoder name="pvestatd">
+  <program_name>^pvestatd</program_name>
+</decoder>
+
+<decoder name="pveproxy">
+  <program_name>^pveproxy</program_name>
+</decoder>
+
+<decoder name="pvepw-logger">
+  <program_name>^pvepw-logger</program_name>
+</decoder>
+
+<decoder name="pvedaemon-auth-failed">
+  <parent>pvedaemon</parent>
+  <prematch>authentication failure; </prematch>
+  <regex offset="after_prematch">^rhost=(\S+) user=(\S+)@pam msg=|^rhost=(\S+) user=(\S+)@pve msg=</regex>
+  <order>srcip, user</order>
+</decoder>
+
+<decoder name="pvedaemon-auth-success">
+  <parent>pvedaemon</parent>
+  <prematch>successful auth for user '</prematch>
+  <regex offset="after_prematch">^(\S+)@pam'$|^(\S+)@pve'$</regex>
+  <order>user</order>
+</decoder>
+
+<decoder name="dhcpd">
+  <program_name>^dhcpd$</program_name>
+</decoder>
+
+<decoder name="dhcpd-data">
+  <parent>dhcpd</parent>
+  <regex offset="after_parent">^(\S+) \S+ (\S+) \S+ (\S+) via (\S+)$</regex>
+  <order>action, srcip, extra_data, extra_data</order>
+</decoder>
+
+<decoder name="dhcpd-ack">
+  <parent>dhcpd</parent>
+  <prematch> acking </prematch>
+  <regex offset="after_parent">already acking lease (\S+)</regex>
+  <order>srcip</order>
+</decoder>
+
+<decoder name="dhcpd-release">
+  <parent>dhcpd</parent>
+  <prematch>^IP address</prematch>
+  <regex offset="after_parent">^IP address (\S+) </regex>
+  <order>srcip</order>
+</decoder>
+
+<!-- OpenBSD httpd -->
+<decoder name="openbsd-httpd">
+  <prematch> [\d+/\w+/\d+:\d+:\d+:\d+ -\d+] "</prematch>
+  <regex>^(\S+) (\S+) \S+ \S+ [\d+/\w+/\d+:\d+:\d+:\d+ -\d+] "(\S+) (\S+) HTTP/\d.\d" (\d+) \d$</regex>
+  <order>url, srcip, protocol, url, status</order>
+  <type>web-log</type>
+</decoder>
+
+<!-- dnsmasq -->
+<decoder name="dnsmasq">
+  <!--<program_name>^dnsmasq</program_name>-->
+  <prematch>^dnsmasq</prematch>
+</decoder>
+
+<decoder name="dnsmasq2">
+  <parent>dnsmasq</parent>
+  <regex offset="after_parent">^[\d+]: \d+ (\S+)/\d+ (\S+) (\S+) to (\S+)|</regex>
+  <regex>^[\d+]: \d+ (\S+)/\d+ (\S+) (\S+) from (\S+)|</regex>
+  <regex>^[\d+]: \d+ (\S+)/\d+ (\S+) (\S+) is (\S+)</regex>
+  <order>srcip, action, url, extra_data</order>
+</decoder>
+
+<!-- Kaspersky Endpoint Security 10 for Linux -->
+<!-- Kesl example Logs -->
+<!-- Nov  5 00:11:21 hostname kesl: {"EventType": "AVBasesAreTotallyOutOfDate","EventId": "27336","TaskName": "Update","TaskId": "6","AVBasesDate": "2018-10-17 09:49:00"} -->
+<!-- Oct 25 13:11:21 hostname kesl: {"EventType": "AVBasesAreOutOfDate","EventId": "27311","TaskName": "Update","TaskId": "6","AVBasesDate": "2018-10-17 09:49:00"} -->
+<!-- Nov 10 13:19:27 hostname kesl: {"EventType": "UpdateError","EventId": "27381","TaskType": "Update","TaskName": "Update","TaskId": "6","RuntimeTaskId": "120"} -->
+<!-- Nov 10 13:22:09 hostname kesl: {"EventType": "ThreatDetected","EventId": "27384","DetectName": "EICAR-Test-File","DetectType": "Virware","DetectCertainty": "Sure","DetectSource": "Local","FileName": "/home/userlogin/eicar.com","ObjectName": "File","TaskId": "1","RuntimeTaskId": "20","TaskName": "File_Monitoring","TaskType": "OAS","AccessUser": "root","AccessUserId": "0","FileOwner": "root","FileOwnerId": "0"} -->
+<!-- Nov 14 13:50:01 hostname kesl: {"EventType": "ObjectSavedToBackup","EventId": "27448","FileName": "/home/userlogin/eicar.com","ObjectName": "File","TaskId": "1","RuntimeTaskId": "126","TaskName": "File_Monitoring","TaskType": "OAS","AccessUser": "userlogin","AccessUserId": "1000","FileOwner": "root","FileOwnerId": "0"} -->
+<!-- Nov 14 13:50:01 hostname kesl: {"EventType": "ObjectNotDisinfected","EventId": "27449","ObjectNotDisinfectedReason": "NonCurable","FileName": "/home/userlogin/eicar.com","ObjectName": "File","TaskId": "1","RuntimeTaskId": "126","TaskName": "File_Monitoring","TaskType": "OAS","AccessUser": "userlogin","AccessUserId": "1000","FileOwner": "root","FileOwnerId": "0"} -->
+<!-- Nov 14 13:50:01 hostname kesl: {"EventType": "ObjectDeleted","EventId": "27450","FileName": "/home/userlogin/eicar.com","ObjectName": "File","TaskId": "1","RuntimeTaskId": "126","TaskName": "File_Monitoring","TaskType": "OAS","AccessUser": "userlogin","AccessUserId": "1000","FileOwner": "root","FileOwnerId": "0"} -->
+<!-- Nov 14 12:44:04 hostname kesl: {"EventType": "TaskStateChanged","EventId": "27438","TaskName": "Update","TaskType": "Update","TaskId": "6","TaskState": "Starting","PrevTaskState": "Stopped","TaskRequestInitiator": "User","RuntimeTaskId": "127"} -->
+<!-- Nov 14 12:44:04 hostname kesl: {"EventType": "TaskStateChanged","EventId": "27439","TaskName": "Update","TaskType": "Update","TaskId": "6","TaskState": "Started","PrevTaskState": "Starting","TaskRequestInitiator": "User","RuntimeTaskId": "127"} -->
+
+<decoder name="kesl">
+  <program_name>^kesl</program_name>
+</decoder>
+
+<decoder name="kesl-avbases-old">
+  <parent>kesl</parent>
+  <prematch>^\p\pEventType\p: \p\S+\p,\pEventId\p: \p\d+\p,\pTaskName\p: \p\S+\p,\pTaskId\p: \p\d+\p,\pAVBasesDate\p: \p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p\p</prematch>
+  <regex offset="after_parent">^\p\pEventType\p: \p(\S+)\p,\pEventId\p: \p(\d+)\p,\pTaskName\p: \p(\S+)\p,\pTaskId\p: \p\d+\p,\pAVBasesDate\p: \p(\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)\p\p</regex>
+  <order>status, id, action, extra_data</order> 
+</decoder>
+
+<decoder name="kesl-threat-detected">
+  <parent>kesl</parent>
+  <prematch>^\p\pEventType\p: \p\S+\p,\pEventID\p: \p\d+\p,\pDetectName\p: \p\S+\p,\pDetectType\p: \p\S+\p,\pDetectCertainty\p: \p\S+\p,\pDetectSource\p: \p\S+\p,\pFileName\p: \p\S+,\pObjectName\p: \p\S+\p,\pTaskId\p: \p\d+\p,\pRuntimeTaskId\p: \p\d+\p,\pTaskName\p: \p\S+\p,\pTaskType\p: \p\S+\p,\pAccessUser\p: \p\S+\p,\pAccessUserId\p: \p\d+\p,\pFileOwner\p: \p\S+\p,\pFileOwnerId\p: \p\d+\p\p</prematch>
+  <regex offset="after_parent">^\p\pEventType\p: \p(\S+)\p,\pEventID\p: \p(\d+)\p,\pDetectName\p: \p\S+\p,\pDetectType\p: \p\S+\p,\pDetectCertainty\p: \p(\S+)\p,\pDetectSource\p: \p\S+\p,\pFileName\p: \S+,\pObjectName\p: \p\S+\p,\pTaskId\p: \p\d+\p,\pRuntimeTaskId\p: \p\d+\p,\pTaskName\p: \p\S+\p,\pTaskType\p: \p(\S+)\p,\pAccessUser\p: \p\S+\p,\pAccessUserId\p: \p\d+\p,\pFileOwner\p: \p\S+\p,\pFileOwnerId\p: \p\d+\p\p</regex>
+  <order>status, id, extra_data, action</order>
+</decoder>
+
+<decoder name="kesl-taskstatechange">
+  <parent>kesl</parent>
+  <prematch>^\p\pEventType\p: \p\S+\p,\pEventId\p: \p\d+\p,\pTaskName\p: \p\S+\p,\pTaskType\p: \p\S+\p,\pTaskId\p: \p\d+\p,\pTaskState\p: \p\S+\p,\pPrevTaskState\p: \p\S+\p,\pTaskRequestInitiator\p: \p\S+\p,\pRuntimeTaskId\p: \p\d+\p\p</prematch>
+  <regex offset="after_parent">^\p\pEventType\p: \p(\S+)\p,\pEventId\p: \p(\d+)\p,\pTaskName\p: \p\S+\p,\pTaskType\p: \p(\S+)\p,\pTaskId\p: \p\d+\p,\pTaskState\p: \p(\S+)\p,\pPrevTaskState\p: \p\S+\p,\pTaskRequestInitiator\p: \p(\S+)\p,\pRuntimeTaskId\p: \p\d+\p\p</regex>
+  <order>action, id, extra_data, status, srcuser</order>
+</decoder>
+
+<!-- MHN - Json log decoder - Dionaea -->
+<!-- include /var/log/mhn/mhn-json.log to ossec.conf -->
+<!-- {"direction": "inbound", "protocol": "ip", "ids_type": "network", "timestamp": "2018-09-14T11:02:54.215411", "dionaea_action": "reject", "type": "dionaea.connections", "app": "dionaea", "src_ip": "16.10.10.10", "vendor_product": "Dionaea", "dest_port": 365, "signature": "Connection to Honeypot", "src_port": 45302, "dest_ip": "16.10.10.11", "sensor": "5e7031cf-b74d-22f9-57e0-254166752457", "transport": "tcp", "severity": "high"} -->
+<decoder name="dionaea">
+  <prematch>dionaea.connections</prematch>
+  <regex>^{\pdirection\p: \p(\S+)\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p\S+\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d\.\d+\p, \pdionaea_action\p: \p(\S+)\p, \ptype\p: \pdionaea.connections\p, \papp\p: \pdionaea\p, \psrc_ip\p: "(\S+)", \pvendor_product\p: \pDionaea\p, \pdest_port\p: (\d+), \psignature\p: \p\.+\p, \psrc_port\p: (\d+), \pdest_ip\p: "(\S+)", \psensor\p: \S+, \ptransport\p: \p\S+\p, \pseverity\p: \p\S+\p}</regex>
+  <order>extra_data, protocol, action, srcip, dstport, srcport, dstip</order>
+</decoder>
+
+<!-- MHN - Json log decoder - Cowrie -->
+<!-- include /var/log/mhn/mhn-json.log to ossec.conf -->
+<!-- {"direction": "inbound", "protocol": "ip", "ids_type": "network", "ssh_username": "admin", "app": "cowrie", "transport": "tcp", "dest_port": 22, "src_port": 45302, "severity": "high", "timestamp": "2018-10-23T11:22:36.597864", "vendor_product": "Cowrie", "sensor": "5e7031cf-b74d-22f9-57e0-254166752457", "src_ip": "16.10.10.10", "ssh_password": "password", "signature": "SSH login attempted on cowrie honeypot", "ssh_version": "'SSH-2.0-Sun_SSH_1.1.4'", "type": "cowrie.sessions", "dest_ip": "16.10.10.11"} -->
+<!-- {"direction": "inbound", "protocol": "ip", "ids_type": "network", "timestamp": "2018-10-23T07:45:56.937787", "vendor_product": "Cowrie", "type": "cowrie.sessions", "app": "cowrie", "src_ip": "16.10.10.10", "dest_port": 22, "signature": "SSH session on cowrie honeypot", "ssh_version": "'SSH-2.0-Sun_SSH_1.1.4'", "src_port": 45302, "dest_ip": "16.10.10.11", "sensor": "5e7031cf-b74d-22f9-57e0-254166752457", "transport": "tcp", "severity": "high"} -->
+<!-- {"direction": "inbound", "protocol": "ip", "ids_type": "network", "timestamp": "2018-11-14T10:32:38.686578", "app": "cowrie", "transport": "tcp", "dest_port": 22, "src_port": 45302, "severity": "high", "vendor_product": "Cowrie", "sensor": "5e7031cf-b74d-22f9-57e0-254166752457", "src_ip": "16.10.10.10", "command": "whoami", "signature": "command attempted on cowrie honeypot", "ssh_version": "'SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4'", "type": "cowrie.sessions", "dest_ip": "16.10.10.11"} -->
+
+<decoder name="cowrie">
+  <prematch>cowrie.sessions</prematch>
+</decoder>
+
+<decoder name="cowrie-attempt">
+  <parent>cowrie</parent>
+  <prematch>"SSH login attempted</prematch>
+  <regex>^{\pdirection\p: \p\S+\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p(\S+)\p, \pssh_username\p: \p(\S+)\p, \papp\p: \pcowrie\p, \ptransport\p: \p\S+\p, \pdest_port\p: (\d+), \psrc_port\p: (\d+), \pseverity\p: \p\S+\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d+\p, \pvendor_product\p: \pCowrie\p, \psensor\p: \S+, \psrc_ip\p: "(\S+)", \pssh_password\p: \p\S+\p, \psignature\p: \p(\.+)\p, \pssh_version\p: \.+, \ptype\p: \pcowrie.sessions\p, \pdest_ip\p: "(\S+)"}</regex>
+  <order>protocol, extra_data, user, dstport, srcport, srcip, action, dstip</order>
+</decoder>
+
+<decoder name="cowrie-session">
+  <parent>cowrie</parent>
+  <prematch>"SSH session on cowrie honeypot</prematch>
+  <regex>^{\pdirection\p: \p\S+\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p(\S+)\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d+\p, \pvendor_product\p: \pCowrie\p, \ptype\p: \pcowrie.sessions\p, \papp\p: \pcowrie\p, \psrc_ip\p: "(\S+)", \pdest_port\p: (\d+), \psignature\p: \p(\.+)\p, \pssh_version\p: \.+, \psrc_port\p: (\d+), \pdest_ip\p: "(\S+)", \psensor\p: \S+, \ptransport\p: \p\S+\p, \pseverity\p: \p\S+\p}</regex>
+  <order>protocol, extra_data, srcip, dstport, action, srcport, dstip</order>
+</decoder>
+
+<decoder name="cowrie-command">
+  <parent>cowrie</parent>
+  <prematch>"command attempted on cowrie honeypot</prematch>
+  <regex>^{\pdirection\p: \p\S+\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p(\S+)\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d+\p, \papp\p: \pcowrie\p, \ptransport\p: \p\S+\p, \pdest_port\p: (\d+), \psrc_port\p: (\d+), \pseverity\p: \p\S+\p, \pvendor_product\p: \pCowrie\p, \psensor\p: \S+, \psrc_ip\p: "(\S+)", \pcommand\p: \p\S+\p, \psignature\p: \p(\.+)\p, \pssh_version\p: \.+, \ptype\p: \pcowrie.sessions\p, \pdest_ip\p: "(\S+)"}</regex>
+  <order>protocol, extra_data, dstport, srcport, srcip, action, dstip</order>
+</decoder>
 
 <!-- EOF -->