On Mon, Jan 28, 2013 at 9:25 AM, anthony kasza <[email protected]> wrote: > Whoops. Sorry, Dan. The decoder should read: > <decoder name="conn"> > <program_name>conn</program_name> > </decoder> > <decoder name="e-conn"> > <parent>conn</parent> > <regex offset="after_parent">connection (\d+)</regex> > <order>srcip</order> > </decoder> > > In version 2.6 I am receiving what I expect > **Phase 1: Completed pre-decoding. > full event: 'Jan 12 12:12:12 hostname conn: connection 10' > hostname: 'hostname' > program_name: 'conn' > log: 'connection 10' > > **Phase 2: Completed decoding. > decoder: 'conn' > srcip: '10' > > In version 2.7 I am not receiving what I expect > **Phase 1: Completed pre-decoding. > full event: 'Jan 12 12:12:12 hostname conn: connection 10' > hostname: 'hostname' > program_name: 'conn' > log: 'connection 10' > > **Phase 2: Completed decoding. > No decoder matched. > > Would you mind showing the changes you made to the decoder with the vi > commands? >
This is what I have in my local_decoders.xml: <decoder name="conn"> <program_name>^conn</program_name> </decoder> <decoder name="e-conn"> <parent>conn</parent> <regex offset="after_parent">connection (\d+)</regex> <order>srcip</order> </decoder> The only thing I remember changing was fixing the "<program_name="conn"</program_name>." > > On Mon, Jan 28, 2013 at 7:27 AM, dan (ddp) <[email protected]> wrote: >> On Sun, Jan 27, 2013 at 6:37 PM, anthony kasza <[email protected]> >> wrote: >>> Hello All, >>> >>> I have a local decoder that extracts fields correctly at phase 2 of >>> the logtest from v2.6 that returns "No decoder matched" at phase 2 of >>> the logtest from v2.7. My decoder and log line follow. >>> <decoder name="conn"> >>> <program_name="conn"</program_name> >>> </decoder> >>> <decoder name="e-conn"> >>> <parent>conn</parent> >>> <regex offset="after_parent">connection (\d+)</regex> >>> <order>srcip</order> >>> </decoder> >>> Jan 12 12:12:12 hostname conn: connection 10 >>> >>> >>> I also noticed that the custom decoder and ForecField log entries here >>> <http://www.ossec.net/doc/manual/rules-decoders/create-custom.html> >>> are not properly extracted at phase 2 of the logtest in v2.7. >>> Has anyone else had difficulties with local decoders between v2.6 and v2.7? >>> >>> -AK >>> >>> -- >>> >>> >>> >> >> Nope. >> >> This appears to be working for me. What output are you expecting? >> >> # cat /tmp/x | /var/ossec/bin/ossec-logtest >> 2013/01/28 08:25:53 ossec-testrule: INFO: Reading local decoder file. >> 2013/01/28 08:25:54 ossec-testrule: INFO: Started (pid: 12220). >> ossec-testrule: Type one log per line. >> >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Jan 12 12:12:12 hostname conn: connection 10' >> hostname: 'hostname' >> program_name: 'conn' >> log: 'connection 10' >> >> **Phase 2: Completed decoding. >> No decoder matched. >> # vi /var/ossec/etc/local_decoder.xml >> # cat /tmp/x | /var/ossec/bin/ossec-logtest >> 2013/01/28 08:26:11 ossec-analysisd(1226): ERROR: Error reading XML >> file 'etc/local_decoder.xml': XML ERR: Element not closed: >> program_name="conn"</program_name (line 3). >> 2013/01/28 08:26:11 ossec-testrule(1202): ERROR: Configuration error >> at '/etc/local_decoder.xml'. Exiting. >> # vi /var/ossec/etc/local_decoder.xml >> # cat /tmp/x | /var/ossec/bin/ossec-logtest >> 2013/01/28 08:26:39 ossec-testrule: INFO: Reading local decoder file. >> 2013/01/28 08:26:39 ossec-testrule: INFO: Started (pid: 16449). >> ossec-testrule: Type one log per line. >> >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Jan 12 12:12:12 hostname conn: connection 10' >> hostname: 'hostname' >> program_name: 'conn' >> log: 'connection 10' >> >> **Phase 2: Completed decoding. >> decoder: 'conn' >> srcip: '10' >> # >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
