Which version were you using? On Mon, Jan 28, 2013 at 8:36 AM, dan (ddp) <[email protected]> wrote: > On Mon, Jan 28, 2013 at 9:25 AM, anthony kasza <[email protected]> > wrote: >> Whoops. Sorry, Dan. The decoder should read: >> <decoder name="conn"> >> <program_name>conn</program_name> >> </decoder> >> <decoder name="e-conn"> >> <parent>conn</parent> >> <regex offset="after_parent">connection (\d+)</regex> >> <order>srcip</order> >> </decoder> >> >> In version 2.6 I am receiving what I expect >> **Phase 1: Completed pre-decoding. >> full event: 'Jan 12 12:12:12 hostname conn: connection 10' >> hostname: 'hostname' >> program_name: 'conn' >> log: 'connection 10' >> >> **Phase 2: Completed decoding. >> decoder: 'conn' >> srcip: '10' >> >> In version 2.7 I am not receiving what I expect >> **Phase 1: Completed pre-decoding. >> full event: 'Jan 12 12:12:12 hostname conn: connection 10' >> hostname: 'hostname' >> program_name: 'conn' >> log: 'connection 10' >> >> **Phase 2: Completed decoding. >> No decoder matched. >> >> Would you mind showing the changes you made to the decoder with the vi >> commands? >> > > This is what I have in my local_decoders.xml: > <decoder name="conn"> > <program_name>^conn</program_name> > </decoder> > <decoder name="e-conn"> > <parent>conn</parent> > <regex offset="after_parent">connection (\d+)</regex> > <order>srcip</order> > </decoder> > > > The only thing I remember changing was fixing the > "<program_name="conn"</program_name>." > >> >> On Mon, Jan 28, 2013 at 7:27 AM, dan (ddp) <[email protected]> wrote: >>> On Sun, Jan 27, 2013 at 6:37 PM, anthony kasza <[email protected]> >>> wrote: >>>> Hello All, >>>> >>>> I have a local decoder that extracts fields correctly at phase 2 of >>>> the logtest from v2.6 that returns "No decoder matched" at phase 2 of >>>> the logtest from v2.7. My decoder and log line follow. >>>> <decoder name="conn"> >>>> <program_name="conn"</program_name> >>>> </decoder> >>>> <decoder name="e-conn"> >>>> <parent>conn</parent> >>>> <regex offset="after_parent">connection (\d+)</regex> >>>> <order>srcip</order> >>>> </decoder> >>>> Jan 12 12:12:12 hostname conn: connection 10 >>>> >>>> >>>> I also noticed that the custom decoder and ForecField log entries here >>>> <http://www.ossec.net/doc/manual/rules-decoders/create-custom.html> >>>> are not properly extracted at phase 2 of the logtest in v2.7. >>>> Has anyone else had difficulties with local decoders between v2.6 and v2.7? >>>> >>>> -AK >>>> >>>> -- >>>> >>>> >>>> >>> >>> Nope. >>> >>> This appears to be working for me. What output are you expecting? >>> >>> # cat /tmp/x | /var/ossec/bin/ossec-logtest >>> 2013/01/28 08:25:53 ossec-testrule: INFO: Reading local decoder file. >>> 2013/01/28 08:25:54 ossec-testrule: INFO: Started (pid: 12220). >>> ossec-testrule: Type one log per line. >>> >>> >>> >>> **Phase 1: Completed pre-decoding. >>> full event: 'Jan 12 12:12:12 hostname conn: connection 10' >>> hostname: 'hostname' >>> program_name: 'conn' >>> log: 'connection 10' >>> >>> **Phase 2: Completed decoding. >>> No decoder matched. >>> # vi /var/ossec/etc/local_decoder.xml >>> # cat /tmp/x | /var/ossec/bin/ossec-logtest >>> 2013/01/28 08:26:11 ossec-analysisd(1226): ERROR: Error reading XML >>> file 'etc/local_decoder.xml': XML ERR: Element not closed: >>> program_name="conn"</program_name (line 3). >>> 2013/01/28 08:26:11 ossec-testrule(1202): ERROR: Configuration error >>> at '/etc/local_decoder.xml'. Exiting. >>> # vi /var/ossec/etc/local_decoder.xml >>> # cat /tmp/x | /var/ossec/bin/ossec-logtest >>> 2013/01/28 08:26:39 ossec-testrule: INFO: Reading local decoder file. >>> 2013/01/28 08:26:39 ossec-testrule: INFO: Started (pid: 16449). >>> ossec-testrule: Type one log per line. >>> >>> >>> >>> **Phase 1: Completed pre-decoding. >>> full event: 'Jan 12 12:12:12 hostname conn: connection 10' >>> hostname: 'hostname' >>> program_name: 'conn' >>> log: 'connection 10' >>> >>> **Phase 2: Completed decoding. >>> decoder: 'conn' >>> srcip: '10' >>> # >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group, send email to >>> [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
