Hi, active response only accepts *user *and *srcip *as arguments. So, you need to create a decoder to extract the log as user or srcip. I'm not sure if this regex will work: "^(\.+)$".
I hope it helps. On Sunday, June 25, 2017 at 7:06:31 PM UTC+2, dan (ddpbsd) wrote: > > > > On Jun 25, 2017 1:05 PM, "Guy Or" <guyd...@gmail.com <javascript:>> wrote: > > Hello, > > I am writing decoders, rules and scripts that monitor my uwsgi application. > > Say that I write a decoder for a certain event that appears in the log, > and that triggers a rule I wrote for it (using 'decoded_as'). > > How do I pass the entrie log line to my custom active response script, so > that I can use the information in the logic of the script? > > FYI : I am using ossec and zabbix in conjunction, right now I detect and > parse events with ossec real time log monitoring and send the information > to zabbix trappers. Works wonderfully > > > Decode the entire log message as <user>? > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com <javascript:>. > For more options, visit https://groups.google.com/d/optout. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.