On Mon, Jan 28, 2013 at 10:27 AM, anthony kasza <[email protected]> wrote: > Which version were you using? >
It would be silly of me to reply if I was using anything before 2.7. I'm using 2.7+. > On Mon, Jan 28, 2013 at 8:36 AM, dan (ddp) <[email protected]> wrote: >> On Mon, Jan 28, 2013 at 9:25 AM, anthony kasza <[email protected]> >> wrote: >>> Whoops. Sorry, Dan. The decoder should read: >>> <decoder name="conn"> >>> <program_name>conn</program_name> >>> </decoder> >>> <decoder name="e-conn"> >>> <parent>conn</parent> >>> <regex offset="after_parent">connection (\d+)</regex> >>> <order>srcip</order> >>> </decoder> >>> >>> In version 2.6 I am receiving what I expect >>> **Phase 1: Completed pre-decoding. >>> full event: 'Jan 12 12:12:12 hostname conn: connection 10' >>> hostname: 'hostname' >>> program_name: 'conn' >>> log: 'connection 10' >>> >>> **Phase 2: Completed decoding. >>> decoder: 'conn' >>> srcip: '10' >>> >>> In version 2.7 I am not receiving what I expect >>> **Phase 1: Completed pre-decoding. >>> full event: 'Jan 12 12:12:12 hostname conn: connection 10' >>> hostname: 'hostname' >>> program_name: 'conn' >>> log: 'connection 10' >>> >>> **Phase 2: Completed decoding. >>> No decoder matched. >>> >>> Would you mind showing the changes you made to the decoder with the vi >>> commands? >>> >> >> This is what I have in my local_decoders.xml: >> <decoder name="conn"> >> <program_name>^conn</program_name> >> </decoder> >> <decoder name="e-conn"> >> <parent>conn</parent> >> <regex offset="after_parent">connection (\d+)</regex> >> <order>srcip</order> >> </decoder> >> >> >> The only thing I remember changing was fixing the >> "<program_name="conn"</program_name>." >> >>> >>> On Mon, Jan 28, 2013 at 7:27 AM, dan (ddp) <[email protected]> wrote: >>>> On Sun, Jan 27, 2013 at 6:37 PM, anthony kasza <[email protected]> >>>> wrote: >>>>> Hello All, >>>>> >>>>> I have a local decoder that extracts fields correctly at phase 2 of >>>>> the logtest from v2.6 that returns "No decoder matched" at phase 2 of >>>>> the logtest from v2.7. My decoder and log line follow. >>>>> <decoder name="conn"> >>>>> <program_name="conn"</program_name> >>>>> </decoder> >>>>> <decoder name="e-conn"> >>>>> <parent>conn</parent> >>>>> <regex offset="after_parent">connection (\d+)</regex> >>>>> <order>srcip</order> >>>>> </decoder> >>>>> Jan 12 12:12:12 hostname conn: connection 10 >>>>> >>>>> >>>>> I also noticed that the custom decoder and ForecField log entries here >>>>> <http://www.ossec.net/doc/manual/rules-decoders/create-custom.html> >>>>> are not properly extracted at phase 2 of the logtest in v2.7. >>>>> Has anyone else had difficulties with local decoders between v2.6 and >>>>> v2.7? >>>>> >>>>> -AK >>>>> >>>>> -- >>>>> >>>>> >>>>> >>>> >>>> Nope. >>>> >>>> This appears to be working for me. What output are you expecting? >>>> >>>> # cat /tmp/x | /var/ossec/bin/ossec-logtest >>>> 2013/01/28 08:25:53 ossec-testrule: INFO: Reading local decoder file. >>>> 2013/01/28 08:25:54 ossec-testrule: INFO: Started (pid: 12220). >>>> ossec-testrule: Type one log per line. >>>> >>>> >>>> >>>> **Phase 1: Completed pre-decoding. >>>> full event: 'Jan 12 12:12:12 hostname conn: connection 10' >>>> hostname: 'hostname' >>>> program_name: 'conn' >>>> log: 'connection 10' >>>> >>>> **Phase 2: Completed decoding. >>>> No decoder matched. >>>> # vi /var/ossec/etc/local_decoder.xml >>>> # cat /tmp/x | /var/ossec/bin/ossec-logtest >>>> 2013/01/28 08:26:11 ossec-analysisd(1226): ERROR: Error reading XML >>>> file 'etc/local_decoder.xml': XML ERR: Element not closed: >>>> program_name="conn"</program_name (line 3). >>>> 2013/01/28 08:26:11 ossec-testrule(1202): ERROR: Configuration error >>>> at '/etc/local_decoder.xml'. Exiting. >>>> # vi /var/ossec/etc/local_decoder.xml >>>> # cat /tmp/x | /var/ossec/bin/ossec-logtest >>>> 2013/01/28 08:26:39 ossec-testrule: INFO: Reading local decoder file. >>>> 2013/01/28 08:26:39 ossec-testrule: INFO: Started (pid: 16449). >>>> ossec-testrule: Type one log per line. >>>> >>>> >>>> >>>> **Phase 1: Completed pre-decoding. >>>> full event: 'Jan 12 12:12:12 hostname conn: connection 10' >>>> hostname: 'hostname' >>>> program_name: 'conn' >>>> log: 'connection 10' >>>> >>>> **Phase 2: Completed decoding. >>>> decoder: 'conn' >>>> srcip: '10' >>>> # >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google Groups >>>> "ossec-list" group. >>>> To unsubscribe from this group, send email to >>>> [email protected]. >>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >>>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group, send email to >>> [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
