On Mon, 18 Jul 2011 11:13:10 -0400, Jason Frisvold wrote:
I'd like to use ossec to monitor this log and report any errors that may crop up. I'm a bit stuck on what log format to use, though. Any thoughts?
For single-line text logs you can use the syslog format. Also, you only need a decoder if you want to make use of extracted fields. If you're just looking for certain strings in general that you are sure are pretty specific to this format, then you can do something like <match>. Just keep in mind that it can create false-positives and perhaps even be dangerous if used in combination with Active Response.
-- Michael Starks [I] Immutable Security http://www.immutablesecurity.com
