From 5465b56fbc975ed8fea48248c6d6984be007c734 Mon Sep 17 00:00:00 2001
From: iasdeoupxe <39667843+iasdeoupxe@users.noreply.github.com>
Date: Sun, 27 May 2018 10:57:14 +0200
Subject: [PATCH 1/2] Extract the dstuser for nginx basic auth

---
 decoders/0170-nginx_decoders.xml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/decoders/0170-nginx_decoders.xml b/decoders/0170-nginx_decoders.xml
index 811ad8fec..2c34edde4 100644
--- a/decoders/0170-nginx_decoders.xml
+++ b/decoders/0170-nginx_decoders.xml
@@ -7,15 +7,24 @@
 -->
 
 <!--
-  - Will extract the srcip.
+  - Will extract the srcip. Additionally extract the username for basic authentication if present.
   - Examples:
   - 2009/09/15 20:55:40 [error] 63858#0: *3663 open() "/srv/www/ossec.net/robots.txt" failed (2: No such file or directory), client: 1.2.3.4, server: ossec.net, request: "GET /robots.txt HTTP/1.1", host: "www.ossec.net"
   - 2009/09/15 19:51:07 [error] 37992#0: accept() failed (53: Software caused connection abort)
+  - 2018/05/26 06:46:11 [error] 31963#31963: *28769 user "test user" was not found in "/etc/nginx/conf.d/users.htpasswd", client: 1.2.3.4, server: example.com, request: "GET / HTTP/1.1", host: "example.com"
+  - 2018/05/27 10:22:20 [error] 31972#31972: *52363 user "user2": password mismatch, client: 1.2.3.4, server: example.com, request: "GET / HTTP/2.0", host: "example.com"
   -->
 <decoder name="nginx-errorlog">
   <prematch>^20\d\d/\d\d/\d\d \d\d:\d\d:\d\d [</prematch>
 </decoder>
 
+<decoder name="nginx-errorlog-user-ip">
+  <parent>nginx-errorlog</parent>
+  <prematch offset="after_parent"> user "\.+"\.+, client: \S+, server: \S+, request: "\S+ </prematch>
+  <regex offset="after_parent"> user "(\.+)"\.+, client: (\S+), </regex>
+  <order>dstuser, srcip</order>
+</decoder>
+
 <decoder name="nginx-errorlog-ip">
   <parent>nginx-errorlog</parent>
   <prematch offset="after_parent">, client: \S+, server: \S+, request: "\S+ </prematch>

From 33734c6c56865d5ec78197f23d9e7abe9b5addb4 Mon Sep 17 00:00:00 2001
From: AlfonsoRBJ <sitoruizbravo@hotmail.com>
Date: Thu, 28 Jun 2018 15:51:38 +0200
Subject: [PATCH 2/2] upgrade 0170-nginx_decoders.xml

We have added two twin decoders in order to get the "dstuser" field when the event contains the user.
---
 decoders/0170-nginx_decoders.xml | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/decoders/0170-nginx_decoders.xml b/decoders/0170-nginx_decoders.xml
index 2c34edde4..ac786d89c 100644
--- a/decoders/0170-nginx_decoders.xml
+++ b/decoders/0170-nginx_decoders.xml
@@ -20,9 +20,15 @@
 
 <decoder name="nginx-errorlog-user-ip">
   <parent>nginx-errorlog</parent>
-  <prematch offset="after_parent"> user "\.+"\.+, client: \S+, server: \S+, request: "\S+ </prematch>
-  <regex offset="after_parent"> user "(\.+)"\.+, client: (\S+), </regex>
-  <order>dstuser, srcip</order>
+  <prematch offset="after_parent"> user "\.+"</prematch>
+  <regex offset="after_parent"> user "(\.+)"</regex>
+  <order>dstuser</order>
+</decoder>
+
+<decoder name="nginx-errorlog-user-ip">
+  <parent>nginx-errorlog</parent>
+  <regex offset="after_regex">client: (\S+),</regex>
+  <order>srcip</order>
 </decoder>
 
 <decoder name="nginx-errorlog-ip">