Hello everyone,
I'm trying to add a FreshClam (ClamAV updater) decoder and rules, but
having an issue with decoder names. (see example below)
My parent decoder is named "freshclam" and it seems that only first
sub-decoder is picked up, when children are named differently
("freshclam-fail" and "freshclam-success" in this example). So when
"freshclam-fail" is a first child, the "freshclam-success" is not
working at all. Whenever I have then switched, placing "freshclam-
success" before "freshclam-fail", only "freshclam-success" works..
However, when I rename children to have the same name, like "freshclam-
status" all sub-decoders are working as expected.
This doesn't make much sense to me and it doesn't feel like intended
behavior, or is it?
Any insight is appreciated.
FYI: I'm running version 2.3 and testing with ossec-logtest.
Code Example:
<decoder name="freshclam">
<program_name>^freshclam</program_name>
</decoder>
<decoder name="freshclam-fail">
<parent>freshclam</parent>
<regex offset="after_parent">^(Update failed.)</regex>
<order>status</order>
</decoder>
<decoder name="freshclam-success">
<parent>freshclam</parent>
<regex offset="after_parent">^(Database updated)</regex>
<regex>\.*IP: (\d+.\d+.\d+.\d+)</regex>
<order>status, srcip</order>
</decoder>
To unsubscribe from this group, send email to
ossec-list+unsubscribegooglegroups.com or reply to this email with the words
"REMOVE ME" as the subject.
