Thanks Daniel. One more question, how do the <decoder> and <type> flags in decoder.xml map to the rules? Are they associated with the <group> (as in <group name="blah">) and <category>?
-----Original Message----- From: Daniel Cid [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 15, 2006 1:21 PM To: [email protected] Cc: Zanni, Richard B Subject: Re: [ossec-list] Decoder and Rules newbie question Hi Rich, You got it all right. The decoders are only used to extract information from the logs, like srcip, username, etc. It is in the rules were the good stuff is :) If you are writting your own signatures to match specific log files, you don't need to do anything with the decoders, unless you want to extract ips, users, etc.. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 8/15/06, Zanni, Richard B <[EMAIL PROTECTED]> wrote: > > > > > Bear with me, I'm trying to get up to speed... > > > > How does the decoder.xml relate to the rules? > > > > Does the decoder just extract specific pieces of information from a string > (event), which can then be used in one of the signature options of the > rules? > > > > For example, say an event is appended to the end of a log monitored by > ossec. No information is extracted from the log via the decoder.xml because > it doesn't match any of the regex's specified. However, a rule may do it's > own regex match and match some string in the event, and then take whatever > action is specified. Is this correct? > > > > If you're writing your own signatures to capture log entries, would you just > put it all in the rules, or add to the decoder.xml? > > > > Thanks for your help... > > - Rich
