Dan, My apologies. The solution you suggested allows me to correctly decode it.
Can you explain why my first log entry, taken from an archived ossec log, did not work? I am still confused as to how the log gets dissected. Thanks in advance for any insight anyone might provide. Bart On 1 apr, 14:46, "Bart V." <[email protected]> wrote: > hmm, > Even if that would work, that's not a solution as the entry as I > pasted is taken literally from /var/ossec/logs/archives/ossec- > archive.log > So it should be in the proper format? > > On 31 mrt, 15:27, "dan (ddp)" <[email protected]> wrote: > > > Try it without the date and server info: > > WinEvtLog: System: WARNING(9015): MetaFrame: (no user): no domain: > > SERVER01: Citrix Presentation Server has entered the grace period. You > > have 840 hour(s) remaining before this server stops accepting > > connections from client devices. > > > On Wed, Mar 31, 2010 at 6:01 AM, Bart V. <[email protected]> wrote: > > > Hi, > > > > All I am trying to use ossec as to monitor some important events in > > > our windows server environment. > > > > The default decoder for windows events reads: > > > > <decoder name="windows"> > > > <type>windows</type> > > > <prematch>^WinEvtLog: </prematch> > > > <regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): </regex> > > > <regex>(\.+): \.+: (\S+): </regex> > > > <order>status, id, extra_data, user, system_name</order> > > > <fts>name, location, user, system_name</fts> > > > </decoder> > > > > When I use the log entry below with ossec-logtest, it states no > > > decoder matches. > > > Log: > > > 2010 Mar 22 00:44:20 (SERVER01) 99.99.99.99->WinEvtLog WinEvtLog: > > > System: WARNING(9015): MetaFrame: (no user): no domain: SERVER01: > > > Citrix Presentation Server has entered the grace period. You have 840 > > > hour(s) remaining before this server stops accepting connections from > > > client devices. > > > > Logtest output: > > > 2010/03/31 11:57:26 ossec-testrule: INFO: Started (pid: 22656). > > > ossec-testrule: Type one log per line. > > > > 2010 Mar 22 00:44:20 (SERVER01) 99.99.99.99->WinEvtLog WinEvtLog: > > > System: WARNING(9015): MetaFrame: (no user): no domain: SERVER01: > > > Citrix Presentation Server has entered the grace period. You have 840 > > > hour(s) remaining before this server stops accepting connections from > > > client devices. > > > > **Phase 1: Completed pre-decoding. > > > full event: '2010 Mar 22 00:44:20 (SERVER01) 99.99.99.99- > > >>WinEvtLog WinEvtLog: System: WARNING(9015): MetaFrame: (no user): no > > > domain: SERVER01: Citrix Presentation Server has entered the grace > > > period. You have 840 hour(s) remaining before this server stops > > > accepting connections from client devices. ' > > > hostname: 'hzlnx01' > > > program_name: '(null)' > > > log: '2010 Mar 22 00:44:20 (SERVER01) 99.99.99.99->WinEvtLog > > > WinEvtLog: System: WARNING(9015): MetaFrame: (no user): no domain: > > > SERVER01: Citrix Presentation Server has entered the grace period. You > > > have 840 hour(s) remaining before this server stops accepting > > > connections from client devices. ' > > > > **Phase 2: Completed decoding. > > > No decoder matched. > > > > Some questions: > > > 1. what is wrong with the log? should I create a custom decoder for > > > it? > > > 2. provided we can solve the above... can i use the fields status, id > > > etc. in my rules? > > > > Any hints or assistance that lead to my understanding this better wil > > > be greatly appreciated :) > > > > Bart Van der Avort > > > > -- > > > To unsubscribe, reply using "remove me" as the subject.
