Yeah maybe I've got the logic of this backwards based on your reply. I want to do is to check for the word 'partially' then check for the 'completed...' message to appear shortly _after_ I get the 'partially' part matched. Based on your reply, this looks for the 'completed...' part for the previous 30 seconds (in this case) worth of log entries and not _after_ it matches 'partially'.
Right? Daniel Cid wrote:
Hi Mark, I am confused with what you are trying to do. This rule will look for the "partially" pattern in the whole message; if found, it will search for "completed, but with some warnings" in any message for the last 30 seconds. Is that what you are trying to do? The regex tag acts like the match tag, but with a slower algorithm (for regex matching)... Can you give us more information? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 2/8/07, Mark Haney <[EMAIL PROTECTED]> wrote:I've encountered what I think is a problem in OSSEC with regular expressions. I have a rule that looks like this: <rule id="1820" level="8" timeframe="30"> <regex>partially</regex><if_matched_regex>completed, but with some warnings$</if_matched_regex><description>Partial backup of data</description> </rule> However, the regex searching for 'partially' doesn't fire at all if I take out the <if> part. Shouldn't the <regex> tag work like a <match> tag if there aren't any regex meta characters? -- Ita erat quando hic adveni. Mark Haney Sr. Systems Administrator ERC Broadband (828) 350-2415
-- Ita erat quando hic adveni. Mark Haney Sr. Systems Administrator ERC Broadband (828) 350-2415
