Hi Rich,
You got it all right. The decoders are only used to extract information from the logs, like srcip, username, etc. It is in the rules were the good stuff is :) If you are writting your own signatures to match specific log files, you don't need to do anything with the decoders, unless you want to extract ips, users, etc.. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 8/15/06, Zanni, Richard B <[EMAIL PROTECTED]> wrote:
Bear with me, I'm trying to get up to speed… How does the decoder.xml relate to the rules? Does the decoder just extract specific pieces of information from a string (event), which can then be used in one of the signature options of the rules? For example, say an event is appended to the end of a log monitored by ossec. No information is extracted from the log via the decoder.xml because it doesn't match any of the regex's specified. However, a rule may do it's own regex match and match some string in the event, and then take whatever action is specified. Is this correct? If you're writing your own signatures to capture log entries, would you just put it all in the rules, or add to the decoder.xml? Thanks for your help… - Rich
