Hi all,
I am currently attempting to set up a custom decoder with a install of
OSSEC on a Debian system.
My log is
"2012-12-07T18:09:20+00:00 DEBUG (7) : File Ref MAGO10000335"
with a decoder of
"<decoder name="magento-alert">¬
<prematch>^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\p\d\d:\d\d</prematch>¬
<regex offset="after_prematch">^ DEBUG \(7\) : File Ref
MAGO(\d\d\d\d\d\d\d\d\d)</regex>¬
<order>extra_data</order>¬
</decoder>"
I run the log line through ossec-logtest but it doesn't find a match.
Now if I change the log line to
"2012-12-07T18:09:20 DEBUG (7) : File Ref MAGO100003354"
and the decoder to
"
<decoder name="magento-alert">¬
<prematch>^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d</prematch>¬
<regex offset="after_prematch">^ DEBUG \(7\) : File Ref
MAGO(\d\d\d\d\d\d\d\d\d)</regex>¬
<order>extra_data</order>¬
</decoder>
"
It finds the match in the test.
So this tells me that there is a problem with the "+00:00" part of the
regexp, but I checked here <http://www.ossec.net/doc/syntax/regex.html> for
the correct way to match a "+".
Can anybody help me please?
Thanks
