Re: Re: [ossec-list] how to write decoder?

Wed, 27 Feb 2013 04:50:16 -0800 

hi,

thks you reply,why instead?

i delete the "<order>extra_data</order>",the service can started.

but now,i use log-test like this

2013-02-27T19:06:08.807161+08:00 localhost rsyslogd-pstats: imudp(*:514): 
submitted=0  

[root@localhost bin]# ./ossec-logtest
2013/02/27 20:30:52 ossec-testrule: INFO: Reading local decoder file.
2013/02/27 20:30:52 ossec-testrule: INFO: Started (pid: 7105).
ossec-testrule: Type one log per line.

2013-02-27T19:06:08.807158+08:00 localhost rsyslogd-pstats: action 8: 
processed=0 failed=0 


**Phase 1: Completed pre-decoding.
       full event: '2013-02-27T19:06:08.807158+08:00 localhost rsyslogd-pstats: 
action 8: processed=0 failed=0 '
       hostname: 'localhost'
       program_name: 'rsyslogd-pstats'
       log: 'action 8: processed=0 failed=0 '

**Phase 2: Completed decoding.
       No decoder matched.

**Phase 3: Completed filtering (rules).
       Rule id: '1002'
       Level: '2'
       Description: 'Unknown problem somewhere in the system.'



seem is like decoder can not work??
            




                                                             thanks&Best Regards

From: R0me0 ***
Date: 2013-02-27 20:30
To: ossec-list
Subject: Re: [ossec-list] how to write decoder?
Use syslog instead "rsyslog"



2013/2/27 root <[email protected]>

hi,all

now, i write the decoder like this

 <decoder name="rsyslog">
   <prematch>^(.*)\s+rsyslogd-pstats:\s+(.*)</prematch>
   <order>extra_data</order>
 </decoder>

but when i restart the ossec

2013/02/27 20:04:21 ossec-analysisd(2107): ERROR: Decoder configuration error: 
'rsyslog'.
2013/02/27 20:04:21 ossec-testrule(1202): ERROR: Configuration error at 
'/etc/decoder.xml'. Exiting.

how can i do what?
-- 
 
--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
 
 



-- 
 
--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
 
 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to