Thanks for the heads-up on local_decoder.xml - I had no idea that existed until reading your response!
On Fri, Jun 24, 2011 at 5:39 AM, Michael Starks < [email protected]> wrote: > On 06/23/2011 10:25 PM, Jeremy Lee wrote: > >> Actually, I'm a bit embarrassed, but all I did was add this to decoder.xml >> >> <decoder name="snoopy-logger"> >> <program_name>^snoopy</**program_name> >> </decoder> >> >> >> Then in local_rules I added the following: >> >> <rule id="100040" level="0"> >> <decoded_as>snoopy-logger</**decoded_as> >> <description>Ignore Snoopy logger events</description> >> </rule> >> >> <rule id="100041" level="15"> >> <if_sid>100040</if_sid> >> <match>whatever</match> >> <description>file access (snoopy)</description> >> </rule> >> > > No need to be embarrassed. Snoopy logs look pretty simple. I'll see if > there is any need to extend it to match on more info. > > Also, you may want to create and put this in local_decoder.xml; otherwise, > your decoder will be lost when you upgrade. >
