Use the parent decoder's name. On Feb 14, 2012 4:38 PM, <[email protected]> wrote:
> On Tue, Feb 14, 2012 at 10:08:18AM -0500, dan (ddp) wrote: > > > > Shouldn't this match the 'esxi-state-transition' decoder as well? > > > > > > > It looks like it does. status and action are both decoded, so unless > > that's happening in another decoder, "esxi-state-transition" seems to > > match. > > If esxi-state-transition decoder is matching, wouldn't the "decoder" > return "esxi-state-transition" instead of just "esxi"? > > I wrote a rule: > > <group name="local,syslog,vmware"> > <rule id="100090" level="8"> > <decoded_as>esxi-state-transition</decoded_as> > <action>VM_STATE_ON</action> > <match>Transition</match> > <description>VMWare state change: ON</description> > </rule> > </group> > > And it doesn't hit when I feed this message: > > Mar 21 19:17:02 192.168.1.2 Hostd: [2011-03-21 19:17:02.053 4A4DDB90 info > 'vm:/vmfs/volumes/4d5ab801-a3984e3b-3c46-0014221a2fc4/ > WIN03/WIN03.vmx'] State Transition (VM_STATE_REVERT_SNAPSHOT -> > VM_STATE_ON) > > **Phase 1: Completed pre-decoding. > full event: 'Mar 21 19:17:02 192.168.1.2 Hostd: [2011-03-21 > 19:17:02.053 4A4DDB90 info > 'vm:/vmfs/volumes/4d5ab801-a3984e3b-3c46-0014221a2fc4/' > hostname: '192.168.1.2' > program_name: 'Hostd' > log: '[2011-03-21 19:17:02.053 4A4DDB90 info > 'vm:/vmfs/volumes/4d5ab801-a3984e3b-3c46-0014221a2fc4/' > > **Phase 2: Completed decoding. > decoder: 'esxi' > > **Phase 3: Completed filtering (rules). > Rule id: '490101' > Level: '1' > Description: 'Grouping for esxi hostd logs.' > **Alert to be generated. > > I'm not opposed to my rule, decoder, or both being terrible. >
