Hi Matthias,
Inside the package of the ossec-wui, you have a README.search file
with some instructions
regarding the searches.
It is pasted below:
"
Pattern: (string matching)
Examples:
sshd: - only list alerts with sshd on the message
!snort - only list alerts that do not have snort on the message
Srcip: (string matching)
192.168.2 - only list events with a valid srcip from 192.168.2.xx
!1.2.3 - ignore alerts from 1.2.3
Rule id: (regex)
Examples:
30112|30111 - only list these two rules
(?!30112) - ignore rule 30112
User: (string matching)
Examples:
xyz - only list events with a valid username of xyz
!abc - ignore events with username abc
Location (string matching)
Examples:
agent1 - only list events from agent1
!192.168 - ignore events from any agent in this network
# EOF
"
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, Mar 19, 2008 at 9:20 PM, matthias platzer <[EMAIL PROTECTED]> wrote:
>
> hi list,
>
> I can vaguely remember having read something about the search syntax
> in the ossec-wui, but cannot find it anymore. I think one could use
> (easy) regular expressions and escape chars there, but how is the
> syntax?
>
> tia matthias
>
