+<!-- OpenBSD kernel messages -->
+<decoder name="bsd_kernel">
+ <program_name>^/bsd</program_name>
+</decoder>
+
+<decoder name="bsd_arp">
+ <parent>bsd_kernel</parent>
+ <prematch offset="after_parent">^arp </prematch>
+ <regex offset="after_prematch"> for (\S+) by (\S+) on \S+</regex>
+ <order>dstip, extra_data</order>
+</decoder>
+
+
+<!-- OpenBSD mountd decoder
+- Apr 11 20:01:02 ix mountd[11618]: Refused mount RPC from host 192.168.17.10 port 45659
+-->
+
+<decoder name="mountd">
+ <program_name>^mountd</program_name>
+</decoder>
+
+<decoder name="mountd-host">
+ <parent>mountd</parent>
+ <prematch>from host </prematch>
+ <regex offset="after_prematch">(\S+) port \d+$</regex>
+ <order>srcip</order>
+</decoder>
+
+
+<!-- bro-ids decoders
+ - Aug 25 08:52:10 junction bro: no=PortScanSummary na=NOTICE_ALARM_ALWAYS es=bro sa=192.168.17.8 num=988 msg=192.168.17.8\\\\ scanned\\\\ a\\\\ total\\\\ of\\\\ 988\\\\ ports tag=@ef-24ad-af
+ - Aug 26 12:34:27 junction bro: no=PortScan na=NOTICE_ALARM_ALWAYS es=bro sa=192.168.17.8 p=17/tcp num=250 msg=192.168.17.8\\ has\\ scanned\\ 250\\ ports\\ of\\ 192.168.17.17 tag=@11-68e9-5
+ - junction bro: Starting incremental serialization...
+ - junction bro: Finished incremental serialization.
+ - ix bro: no=NoticeTally na=NOTICE_ALARM_ALWAYS es=bro num=307 msg=AckAboveHole\\ (307\\ times) tag=@81-2fd-1f9
+ - ix bro: no=NoticeTally na=NOTICE_ALARM_ALWAYS es=bro num=7 msg=ContentGap\\ (7\\ times) tag=@81-2fd-1fa
+ - ix bro: no=ResourceSummary na=NOTICE_ALARM_ALWAYS es=bro msg=elapsed\\ time\\ \\=\\ 376.0\\ msecs\\ 174.0\\ usecs,\\ total\\ CPU\\ \\=\\ 390.0\\ msecs,\\ maximum\\ memory\\ \\=\\ 0\\ KB,\\ peak\\ connections\\ \\=\\ 0,\\ peak\\ timers\\ \\=\\ 84,\\ peak\\ fragments\\ \\=\\ 0 tag=@69-1f25-1
+ - junction bro: no=PortScanSummary na=NOTICE_ALARM_ALWAYS es=bro sa=192.168.17.8 num=988 msg=192.168.17.8\\\\ scanned\\\\ a\\\\ total\\\\ of\\\\ 988\\\\ ports tag=@ef-24ad-af
+ - junction bro: no=ZoneTransfer na=NOTICE_ALARM_ALWAYS es=bro sa=192.168.1.9 sp=4175/tcp da=192.168.1.17 dp=53/tcp p=53/tcp msg=transfer\\ of\\example.com\\ requested\\ by\\ 192.168.1.9 tag=@61-3a46-d
+ - ix bro: no=SensitivePortmapperAccess na=NOTICE_ALARM_ALWAYS es=bro sa=192.168.17.8 sp=2957/tcp da=192.168.17.9 dp=111/tcp p=111/tcp msg=rpc:\\ 192.168.17.8/2957\\ >\\ 192.168.17.9/portmap\\ pm_dump:\\ (done) tag=@46-764d-5d
+ - junction bro: no=PortScan na=NOTICE_ALARM_ALWAYS es=bro sa=192.168.17.8 p=17/tcp num=250 msg=192.168.17.8\\ has\\ scanned\\ 250\\ ports\\ of\\ 192.168.17.17 tag=@11-68e9-5
+-->
+
+<decoder name="bro-ids">
+ <program_name>^bro</program_name>
+</decoder>
+
+<decoder name="bro-portscan">
+ <parent>bro-ids</parent>
+ <prematch>no=PortscanSummary</prematch>
+ <regex>sa=(\S+) num=(\d+) msg=</regex>
+ <order>srcip,extra_data</order>
+</decoder>
+
+<decoder name="bro-portscan2">
+ <parent>bro-ids</parent>
+ <prematch>no=PortScan </prematch>
+ <regex>sa=(\S+) p=(\d+)/(\S+) num=(\d+)</regex>
+ <order>srcip,srcport,protocol,extra_data</order>
+</decoder>
+
+<decoder name="bro-typical">
+ <parent>bro-ids</parent>
+ <prematch>na=NOTICE</prematch>
+ <regex>sa=(\S+) sp=(\d+)/(\S+) da=(\S+) dp=(\d+)/\S+</regex>
+ <order>srcip,srcport,protocol,dstip,dstport</order>
+</decoder>
+
+
+
+<!-- nss ldap decoders
+- Jun 26 08:19:25 servername sh: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
+- Aug 16 10:58:12 client nscd: nss_ldap: failed to bind to LDAP server ldap://ldap.example.com: Can't contact LDAP server
+-->
+<!--
+<decoder name="nss-ldap">
+ <program_name>^sh$|^nscd$</program_name>
+ <prematch>^nss_ldap</prematch>
+</decoder>
+
+<decoder name="ldap-server">
+ <parent>nss-ldap</parent>
+ <prematch> server </prematch>
+ <regex offset="after_prematch">ldap://(\S+):</regex>
+ <order>system_name</order>
+</decoder>
+-->
+
+
+
+<!-- OpenBSD groupdel
+ - May 28 09:15:43 ix groupdel[25984]: group deleted: name=_dbus
+-->
+<decoder name="groupdel">
+ <program_name>groupdel</program_name>
+ <regex>^group deleted: name=(\S+)$</regex>
+ <order>extra_data</order>
+</decoder>
+
+
+<!-- Portsentry -->
+<decoder name="portsentry">
+ <program_name>^portsentry</program_name>
+</decoder>
+
+<decoder name="portsentry-attackalert">
+ <parent>portsentry</parent>
+ <prematch>attackalert: Connect from host: </prematch>
+ <regex offset="after_prematch">(\S+)/\S+ to (\S+) port: (\d+)$</regex>
+ <order>srcip,protocol,dstport</order>
+</decoder>
+
+<decoder name="portsentry-blocked">
+ <parent>portsentry</parent>
+ <prematch>is already blocked. Ignoring$</prematch>
+ <regex>Host: (\S+) is</regex>
+ <order>srcip</order>
+</decoder>
+
+
+<!-- Clamav and Freshclam decoder
+ - Nov 5 22:59:19 ix freshclam[32349]: Incremental update failed, trying to download daily.cvd
+-->
+<decoder name="clamd">
+ <program_name>^clamd</program_name>
+</decoder>
+
+<decoder name="freshclam">
+ <program_name>^freshclam</program_name>
+</decoder>
+
+
+<!-- OpenLDAP decoder.
+ - Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 fd=64 ACCEPT from IP=10.10.248.27:33957 (IP=10.10.241.77:389)
+ -->
+<decoder name="openldap">
+ <program_name>^slapd</program_name>
+ <regex>^conn=(\d+) </regex>
+ <order>id</order>
+</decoder>
+
+
+
+<!-- NTP decoder
+ - gorilla ntpd[27379]: bad sensor nmea0
+ - tiny ntpd[25875]: bad peer 192.168.1.233 (192.168.1.233)
+ - gorilla ntpd[29719]: bind on 192.168.1.233 failed, skipping: Can't assign requested address
+ - ix ntpd[8392]: bind on 192.168.17.9 failed, skipping: Address already in use
+ - ix ntpd[11685]: bad peer from pool pool.ntp.org (64.73.32.135)
+ - richese ntpd[3465]: bad peer ix (192.168.17.9)
+ - ix ntpd[11685]: bad peer from pool pool.ntp.org (69.50.219.51)
+ - ix ntpd[7045]: recvmsg 192.168.17.17: Connection refused
+ - ix ntpd[29411]: 2 out of 3 peers valid
+ - bridge ntpd[5877]: logconfig: illegal argument - ignored
+ - bridge ntpd[5902]: offset 0.000000 sec freq 0.000 ppm error 0.000011 poll 6
+-->
+<decoder name="ntpd">
+ <program_name>^ntpd</program_name>
+</decoder>
+
+<decoder name="ntpd-bad-peer">
+ <parent>ntpd</parent>
+ <prematch offset="after_parent">^bad peer </prematch>
+ <regex>^bad peer \S+ \p(\S+)\p$|^bad peer from pool \S+ \p(\S+)\p$</regex>
+ <order>srcip</order>
+</decoder>
+
+
+<!-- Auditd
+163
+164 - Will extract action, id, status, extra_data, srcip
+165 - Author and (c): Michael Starks, 2011
+166 - Future enhancements should ensure that all log samples regress properly due to the complexity of these decoders
+167 - Examples:
+
+<!-- CentOS 5.5 -->
+type=USER_ACCT msg=audit(1310592861.936:1222): user pid=24675 uid=0 auid=501 ses=188 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting acct="username" exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/5 res=success)'
+type=CRED_ACQ msg=audit(1305666154.831:51859): user pid=21250 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: setcred acct="username" : exe="/usr/sbin/sshd" (hostname=lala.example.com, addr=172.16.0.1, terminal=ssh res=success)'
+type=CRED_ACQ msg=audit(1273182001.226:148635): user pid=29770 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron
+type=USER_AUTH msg=audit(1305666163.690:51871): user pid=21269 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: authentication acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)'
+type=USER_ACCT msg=audit(1306939201.750:67934): user pid=4401 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+type=CRED_ACQ msg=audit(1306939201.751:67935): user pid=4401 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+type=USER_START msg=audit(1306939201.756:67937): user pid=4401 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+type=USER_CHAUTHTOK msg=audit(1304523288.952:37394): user pid=7258 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='op=change password id=505 exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/1 res=success)'
+
+<!-- Unknown source -->
+type=USER_ACCT msg=audit(1310592861.936:1222): user pid=24675 uid=0 auid=501 ses=188 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting acct="username" exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/5 res=success)'
+
+<!-- Ubuntu 10.04 LTS -->
+type=SYSCALL msg=audit(1307045440.943:148): arch=c000003e syscall=59 success=yes exit=0 a0=de1fa8 a1=de23a8 a2=dc3008 a3=7fff1db3cc60 items=2 ppid=11719 pid=12140 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="wget" exe="/tmp/wget" key="webserver-watch-tmp"
+type=SYSCALL msg=audit(1307045820.403:151): arch=c000003e syscall=59 success=no exit=-13 a0=de24c8 a1=de2408 a2=dc3008 a3=7fff1db3cc60 items=1 ppid=11719 pid=12347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="bash" exe="/bin/bash" key=(null)
+type=SYSCALL msg=audit(1306939143.715:67933): arch=40000003 syscall=94 success=yes exit=0 a0=5 a1=180 a2=8ebd360 a3=8ec4978 items=1 ppid=4383 pid=4388 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8038 comm="less" exe="/usr/bin/less" subj=user_u:system_r:unconfined_t:s0 key="perm_mod"
+type=USER_ROLE_CHANGE msg=audit(1280266360.845:51): user pid=1978 uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=user_u:system_r:unconfined_t:s0 selected-context=user_u:system_r:unconfined_t:s0: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'
+type=PATH msg=audit(1306967989.163:119): item=0 name="./ls" inode=261813 dev=fb:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
+
+<!-- Will not decode due to null name, that's OK -->
+type=PATH msg=audit(1273924468.947:179534): item=0 name=(null) inode=424783 dev=fd:07 mode=0100640 ouid=0 ogid=502 rdev=00:00 obj=user_u:object_r:file_t:s0
+
+-->
+
+<decoder name="auditd">
+ <prematch>^type=</prematch>
+</decoder>
+
+<!-- SELinux -->
+ <decoder name="auditd-selinux">
+ <parent>auditd</parent>
+ <prematch offset="after_parent">^AVC </prematch>
+ <regex offset="after_parent">^(AVC) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): avc: (\S+) { \.+ } for pid=\d+ comm="(\S+)" path="\S+" dev=\S+ ino=\d+ scontext=\S+ tcontext=\S+ tclass=\S+$</regex>
+ <order>action,id,status,extra_data</order>
+ </decoder>
+
+<!-- syscall -->
+ <decoder name="auditd-syscall">
+ <parent>auditd</parent>
+ <prematch offset="after_parent">^SYSCALL </prematch>
+ <regex offset="after_parent">^(SYSCALL) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+ success=(\S+) exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+ pid=\d+ auid=\d+ uid=\d+ gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+ sgid=\d+ fsgid=\d+ tty=\S+ ses=\d+ comm="\S+" exe="(\.+)"</regex>
+ <order>action,id,status,extra_data</order>
+ </decoder>
+
+<!-- config -->
+ <decoder name="auditd-config">
+ <parent>auditd</parent>
+ <prematch offset="after_parent">^CONFIG_CHANGE </prematch>
+ <regex offset="after_parent">^(CONFIG_CHANGE) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): auid=\d+ ses=\d+ op="\.+" path="(\.+)" key="\S+" list=\d+ res=\d+$</regex>
+ <order>action,id,extra_data</order>
+ </decoder>
+
+<!-- path (will only decode if name is not null)-->
+ <decoder name="auditd-path">
+ <parent>auditd</parent>
+ <prematch offset="after_parent">^PATH </prematch>
+ <regex offset="after_parent">^(PATH) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): item=\d+ name="(\.+)" inode=\d+ dev=\S+ mode=\d+ ouid=\d+ ogid=\d+ rdev=\S+</regex>
+ <order>action,id,extra_data</order>
+ </decoder>
+
+<!-- user-related -->
+ <decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_parent">^(USER_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+|</regex>
+ <regex>^(CRED_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+</regex>
+ <order>action,id</order>
+ </decoder>
+
+ <decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_regex"> acct="(\.+)" : exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+$</regex>
+ <order>user,extra_data,srcip</order>
+ </decoder>
+
+ <decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_regex"> ses=\d+ subj=\S+ msg='\.+ acct="(\.+)" exe="(\.+)" hostname=\S+ addr=(\S+) terminal=\S+ res=(\S+)$</regex>
+ <order>user,extra_data,srcip,status</order>
+ </decoder>
+
+ <decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_regex"> subj=\S+ msg='\.+ acct="(\.+)" \p*\s*exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$</regex>
+ <order>user,extra_data,srcip,status</order>
+ </decoder>
+
+ <decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_regex"> subj=\S+ msg='\.+ exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$</regex>
+ <order>extra_data,srcip,status</order>
+ </decoder>