On Wed, Feb 15, 2012 at 10:29 AM, <[email protected]> wrote: > On Tue, Feb 14, 2012 at 04:47:40PM -0500, dan (ddp) wrote: >> Use the parent decoder's name. > > Oh. My troubles are over, dude: > > **Phase 3: Completed filtering (rules). > Rule id: '100090' > Level: '8' > Description: 'VMWare state change: ON'** > Alert to be generated. > > I did notice that the decoder (I realize it's marked 'WIP') had another issue > to overcome with my rule: it is keeping the parens. > > I had to change my local rule to match '<action>VM_STATE_ON)</action>' > instead of '<action>VM_STATE_ON</action>'. > > Is this something I should overcome with rules or by changing the decoder? >
I can't test it right now, but you could try something like the following (replacing the old decoder): .<decoder name="esxi-state-transition"> <parent>esxi</parent> <prematch>State Transition (\S+ -> \S+)</prematch> <regex>State Transition \p(\S+) -> (\S+)\p</regex> <order>status, action</order> </decoder>
