Pedro thanks again for your help.
I think I found the problem, but the work around requires modification of the decoder.xml I moved decoder into the decoder.xml file (I now that’s not the recommended), before the named group decoder, and made the decoder not a child of the named group decoder. From etc/decoder.xml . . . <decoder name="named-query-denied"> <program_name>^named</program_name> <prematch>denied$</prematch> <regex>client (\S+)#\d+\s+\((\S+)\): query </regex> <order>srcip,user</order> </decoder> <!-- Named decoder. - Will extract the srcip - Examples: - valhalla named[7885]: client 192.168.1.231#1142: update 'hayaletgemi.edu/IN' denied - named[12637]: client 1.2.3.4#32769: query (cache) 'somedomain.com/MX/IN' denied - Oct 22 10:12:33 junction named[31687]: /etc/blocked.slave:9892: syntax error near ';' - Oct 22 10:12:33 junction named[31687]: reloading configuration failed: unexpected token --> <decoder name="named"> <program_name>^named</program_name> </decoder> . . . The decoding works properly as per logtest # head -1 log-sample1 | bin/ossec-logtest 2017/03/14 16:30:27 ossec-testrule: INFO: Reading local decoder file. 2017/03/14 16:30:27 ossec-testrule: INFO: Started (pid: 4093). ossec-testrule: Type one log per line. **Phase 1: Completed pre-decoding. full event: 'Mar 14 12:58:58 net19 named[6147]: client 108.239.52.141#3181 (kzcvyjchmduzkj.tengyin66.com): query (cache) 'kzcvyjchmduzkj.tengyin66.com/A/IN' denied' hostname: 'net19' program_name: 'named' log: 'client 108.239.52.141#3181 (kzcvyjchmduzkj.tengyin66.com): query (cache) 'kzcvyjchmduzkj.tengyin66.com/A/IN' denied' **Phase 2: Completed decoding. decoder: 'named-query-denied' srcip: '108.239.52.141' *dstuser: 'kzcvyjchmduzkj.tengyin66.com'* **Phase 3: Completed filtering (rules). Rule id: '12108' Level: '4' Description: 'Invalid Query cache denied.' Info - Link: 'http://www.reedmedia.net/misc/dns/errors.html' **Alert to be generated. I originally had the decoder as a parent top level decoder, otherwise the logtest output seemed to only mention the named decoder, rather than the child. I thought it was just limited output at the time. So once I was convinced it worked, I moved it to be a child decoder, and moved it to the local_named.xml file, and made its parent be the named decoder. However I believe the ‘named-query-denied’ decoding is not working as a child of the named decoder. Any ideas why??? The rest of the rules and alerts etc are working fine, but I believe if the decoder fails to extract the dtsuser from the log, then OSSEC would silently refuse to call the active response script, because it didn’t have the expected user value from the log. (Might be nice to have a log on such a failure) *Is there a way to make this work without modifying the decoder.xml file ? * *Thanks!* -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.