Hi Tom, Thanks for the logs. I really appreciated it. Just change the program name to:
<program_name /> And it will work. I also made this change on CVS for our next releases... Thanks! -- Daniel B. Cid dcid ( at ) ossec.net On 8/21/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > log samples sent. > I've modified decoder in numerous ways and was unable to obtain > results. > Tom. > > On Aug 20, 9:55 pm, "Daniel Cid" <[EMAIL PROTECTED]> wrote: > > Hi Tom, > > > > Can you send some log samples to us? Our decoder looks for: > > > > <decoder name="netscreenfw"> > > <program_name>^sav00|^ns5gt</program_name> > > <prematch>^NetScreen device_id</prematch> > > </decoder> > > > > Probably that's why it only works with ns5gt. However, we were told > > this would be > > present in all netscreen logs, so if that is different, let us know. > > > > Thanks, > > > > -- > > Daniel B. Cid > > dcid ( at ) ossec.net > > > > On 8/20/07, Tom Bicer <[EMAIL PROTECTED]> wrote: > > > > > > > > > I've been trying to get ossec work with netscreen logs. I'm unable to > > > figure > > > out why only device name ns5gt works. > > > Replacing that name with any other valid device name in decoder.xml > > > doesn't > > > produce any records in firewall.log > > > I also tried completely removing program_name and just leaving prematch, > > > it > > > still doesn't produce any entries in firewall.log > > > I'd appreciate any suggestions anyone may have. > > > Tom- Hide quoted text - > > > > - Show quoted text - > >
