On Fri, Feb 16, 2007 at 11:20:15PM -0400, Daniel Cid wrote: > > Hi Kayvan, > > Whenever you want to use regexes, you need the regex tag. The "match" is > only for simple pattern matching. Secondly, the "match" and "regex" tags > only look at the log message, not at the process name of syslog header.
Okay, so fot this line: Feb 17 05:37:03 server smbd[3776]: Denied connection from (0.0.0.0) You are saying that program_name becomes "smbd" and that the log message portion is " Denied connection from (0.0.0.0)", right? Is it the string with spaces in front of it or is it the string without spaces in front? > <rule id="100070" level="0"> > <if_sid>1002</if_sid> > <match>^Denied connection from</match> > <description>Ignoring smbd denied connection from</description> > </rule> Can you use regex "^" in a match statement? > You could also use the <program_name>smbd</program_name> to be > more accurate. The following links can help: > > http://www.ossec.net/en/manual.html#rules > http://www.ossec.net/wiki/index.php/FAQ Thanks for the references. I'm starting to understand. ---Kayvan -- Kayvan A. Sylvan | Proud husband of | Father to my kids: Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89) http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92)
