Hi all, I am currently attempting to set up a custom decoder with a install of OSSEC on a Debian system.
My log is "2012-12-07T18:09:20+00:00 DEBUG (7) : File Ref MAGO10000335" with a decoder of "<decoder name="magento-alert">¬ <prematch>^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\p\d\d:\d\d</prematch>¬ <regex offset="after_prematch">^ DEBUG \(7\) : File Ref MAGO(\d\d\d\d\d\d\d\d\d)</regex>¬ <order>extra_data</order>¬ </decoder>" I run the log line through ossec-logtest but it doesn't find a match. Now if I change the log line to "2012-12-07T18:09:20 DEBUG (7) : File Ref MAGO100003354" and the decoder to " <decoder name="magento-alert">¬ <prematch>^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d</prematch>¬ <regex offset="after_prematch">^ DEBUG \(7\) : File Ref MAGO(\d\d\d\d\d\d\d\d\d)</regex>¬ <order>extra_data</order>¬ </decoder> " It finds the match in the test. So this tells me that there is a problem with the "+00:00" part of the regexp, but I checked here <http://www.ossec.net/doc/syntax/regex.html> for the correct way to match a "+". Can anybody help me please? Thanks