Hello all, So is my understanding of decoding correct, that you may use only the content of the message without any context to help you decode it?
What I mean is, say you are monitoring a file called "/var/log/openvpn/server.log" which generates a message like this: Thu Feb 25 09:14:51 2010 SIGTERM[hard,] received, process exiting Using only the content of the message alone it would be impossible for OSSEC to identify this message as an openvpn server stopping. There is nothing in the content to identify it as coming from openvpn. BUT if when you configured your <location>, inside you specified something like <decode-as>openvpn-log</decode-as> and this information got passed along to the decoder, now you are in business. You now have the context you need to determine this message came from an openvpn-log and that the server is stopping. I know program_name could be considered context but isn't that just set by the pre-decoder by looking for it in the content of a syslog message? - Jo
