forked from angolo40/WazuhMikrotik
-
Notifications
You must be signed in to change notification settings - Fork 0
/
1001-mikrotik_decoders.xml
53 lines (45 loc) · 2.25 KB
/
1001-mikrotik_decoders.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
<decoder name="user_login">
<prematch>user (\S+) logged (\S+) from (\S+) via (\S+)</prematch>
<regex type="pcre2">user (\S+) logged (\S+) from (\S+) via (\S+)</regex>
<order>username, action, srcip, access_method</order>
</decoder>
<decoder name="user_login_failure">
<prematch>login failure for user (\S+) from (\S+) via (\S+)</prematch>
<regex type="pcre2">login failure for user (\S+) from (\S+) via (\S+)</regex>
<order>username, srcip, access_method</order>
</decoder>
<decoder name="wireguard">
<prematch>wireguard user (\S+) logged (\S+) from (\S+)</prematch>
<regex type="pcre2">wireguard user (\S+) logged (\S+) from (\S+)</regex>
<order>username, action, srcip</order>
</decoder>
<decoder name="vpn">
<prematch>(\S+) logged (\S+), (\S+) from (\S+)</prematch>
<regex type="pcre2">(\S+) logged (\S+), (\S+) from (\S+)</regex>
<order>username, action, localip, srcip</order>
</decoder>
<decoder name="vpn_login_failure">
<prematch>\S(\d+.\d+.\d+.\d+)\S: user (\S+) authentication failed</prematch>
<regex type="pcre2">\S(\d+.\d+.\d+.\d+)\S: user (\S+) authentication failed</regex>
<order>srcip, username</order>
</decoder>
<decoder name="filter_rule_change">
<prematch type="pcre2">filter rule (changed|removed|added) by</prematch>
<regex type="pcre2">filter rule (changed|removed|added) by (\S+)\Stcp-msg\(winbox\):(\S+)@(\S+) \((.*)\)</regex>
<order>action, srcprogram, username, srcip, rule_details</order>
</decoder>
<decoder name="raw_rule_change">
<prematch type="pcre2">raw rule (changed|removed|added) by</prematch>
<regex type="pcre2">raw rule (changed|removed|added) by tcp-msg\(winbox\):(\S+)@(\S+) \((.*)\)</regex>
<order>action, username, srcip, rule_details</order>
</decoder>
<decoder name="user_change">
<prematch type="pcre2">user (\S+) (added|password changed|removed) by</prematch>
<regex type="pcre2">user (\S+) (added|password changed|removed) by tcp-msg\(winbox\):(\S+)@(\S+) \((.*)\)</regex>
<order>action, newuser, username, srcip, rule_details</order>
</decoder>
<decoder name="mikrotik_log">
<prematch type="pcre2">(\S+) (\S+) (\S+) by</prematch>
<regex type="pcre2">(\S+) (\S+) (\S+) by tcp-msg\(winbox\):(\S+)@(\S+) \((.*)\)</regex>
<order>type, target, action, username, srcip, rule_details</order>
</decoder>