Fix regex on blog post "Monitoring network devices with Wazuh" #8283
Description
📌 Request Details
Required Information
- Target version:
- Request type
- Product update
- Fixes or corrections
- Improvement
- Other:
- Affected Documentation
- Documentation section(s):
- Specific page URLs:
Description
Hello! I didn't know where to put fixes for this blog post page: https://wazuh.com/blog/monitoring-network-devices/
You may found there in "Mikrotik decoders" section the decoders for the Mikrotik:
<decoder name="mikrotik">
<prematch>^RouterOS7.1-logs: </prematch>
</decoder>
<decoder name="mikrotik1">
<parent>mikrotik</parent>
<regex type="pcre2">\S+ (\w+ \d+ \d+:\d+:\d+) MikroTik user (\S+) (.*?) from (\d+.\d+.\d+.\d+) via (\w+)</regex>
<order>logtimestamp, logged_user, action, ip_address, protocol</order>
</decoder>
<decoder name="mikrotik1">
<parent>mikrotik</parent>
<regex type="pcre2">\S+ (\w+ \d+ \d+:\d+:\d+) MikroTik dhcp-client on (\S+) (.*?) address (\d+.\d+.\d+.\d+)</regex>
<order>logtimestamp, interface, action, ip_address</order>
</decoder>
<decoder name="mikrotik1">
<parent>mikrotik</parent>
<regex type="pcre2">\S+ (\w+ \d+ \d+:\d+:\d+) MikroTik router (\S+)</regex>
<order>logtimestamp, action</order>
</decoder>
So the interesting lines are regex tags, such as:
<regex type="pcre2">\S+ (\w+ \d+ \d+:\d+:\d+) MikroTik user (\S+) (.*?) from (\d+.\d+.\d+.\d+) via (\w+)</regex>
Those are almost correct despite regex for IP address decoding: (\d+.\d+.\d+.\d+) can also read 192.168 which is not correct. It's better to escape . character in this case: (\d+\.\d+\.\d+\.\d+)