Try it without the date and server info: WinEvtLog: System: WARNING(9015): MetaFrame: (no user): no domain: SERVER01: Citrix Presentation Server has entered the grace period. You have 840 hour(s) remaining before this server stops accepting connections from client devices.
On Wed, Mar 31, 2010 at 6:01 AM, Bart V. <[email protected]> wrote: > Hi, > > All I am trying to use ossec as to monitor some important events in > our windows server environment. > > The default decoder for windows events reads: > > <decoder name="windows"> > <type>windows</type> > <prematch>^WinEvtLog: </prematch> > <regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): </regex> > <regex>(\.+): \.+: (\S+): </regex> > <order>status, id, extra_data, user, system_name</order> > <fts>name, location, user, system_name</fts> > </decoder> > > When I use the log entry below with ossec-logtest, it states no > decoder matches. > Log: > 2010 Mar 22 00:44:20 (SERVER01) 99.99.99.99->WinEvtLog WinEvtLog: > System: WARNING(9015): MetaFrame: (no user): no domain: SERVER01: > Citrix Presentation Server has entered the grace period. You have 840 > hour(s) remaining before this server stops accepting connections from > client devices. > > Logtest output: > 2010/03/31 11:57:26 ossec-testrule: INFO: Started (pid: 22656). > ossec-testrule: Type one log per line. > > 2010 Mar 22 00:44:20 (SERVER01) 99.99.99.99->WinEvtLog WinEvtLog: > System: WARNING(9015): MetaFrame: (no user): no domain: SERVER01: > Citrix Presentation Server has entered the grace period. You have 840 > hour(s) remaining before this server stops accepting connections from > client devices. > > > **Phase 1: Completed pre-decoding. > full event: '2010 Mar 22 00:44:20 (SERVER01) 99.99.99.99- >>WinEvtLog WinEvtLog: System: WARNING(9015): MetaFrame: (no user): no > domain: SERVER01: Citrix Presentation Server has entered the grace > period. You have 840 hour(s) remaining before this server stops > accepting connections from client devices. ' > hostname: 'hzlnx01' > program_name: '(null)' > log: '2010 Mar 22 00:44:20 (SERVER01) 99.99.99.99->WinEvtLog > WinEvtLog: System: WARNING(9015): MetaFrame: (no user): no domain: > SERVER01: Citrix Presentation Server has entered the grace period. You > have 840 hour(s) remaining before this server stops accepting > connections from client devices. ' > > **Phase 2: Completed decoding. > No decoder matched. > > Some questions: > 1. what is wrong with the log? should I create a custom decoder for > it? > 2. provided we can solve the above... can i use the fields status, id > etc. in my rules? > > Any hints or assistance that lead to my understanding this better wil > be greatly appreciated :) > > Bart Van der Avort > > > -- > To unsubscribe, reply using "remove me" as the subject. >
