Daniel, Let's assume I completely remove <program_name /> should it still work?
On Aug 21, 8:16 pm, "Daniel Cid" <[EMAIL PROTECTED]> wrote: > Hi Tom, > > Thanks for the logs. I really appreciated it. Just change the program name to: > > <program_name /> > > And it will work. I also made this change on CVS for our next releases... > > Thanks! > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On 8/21/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > > > > > log samples sent. > > I've modified decoder in numerous ways and was unable to obtain > > results. > > Tom. > > > On Aug 20, 9:55 pm, "Daniel Cid" <[EMAIL PROTECTED]> wrote: > > > Hi Tom, > > > > Can you send some log samples to us? Our decoder looks for: > > > > <decoder name="netscreenfw"> > > > <program_name>^sav00|^ns5gt</program_name> > > > <prematch>^NetScreen device_id</prematch> > > > </decoder> > > > > Probably that's why it only works with ns5gt. However, we were told > > > this would be > > > present in all netscreen logs, so if that is different, let us know. > > > > Thanks, > > > > -- > > > Daniel B. Cid > > > dcid ( at ) ossec.net > > > > On 8/20/07, Tom Bicer <[EMAIL PROTECTED]> wrote: > > > > > I've been trying to get ossec work with netscreen logs. I'm unable to > > > > figure > > > > out why only device name ns5gt works. > > > > Replacing that name with any other valid device name in decoder.xml > > > > doesn't > > > > produce any records in firewall.log > > > > I also tried completely removing program_name and just leaving > > > > prematch, it > > > > still doesn't produce any entries in firewall.log > > > > I'd appreciate any suggestions anyone may have. > > > > Tom- Hide quoted text - > > > > - Show quoted text -- Hide quoted text - > > - Show quoted text -
