hi,
it wrong,if i write this
<decoder name="rsyslog">
<program_name>^rsyslogd-pstats</program_name>
<regex>^(.*)\s+rsyslogd-pstats:\s+(.*)</regex>
</decoder>
ossec say
2013/02/27 20:52:59 ossec-analysisd(2107): ERROR: Decoder configuration error:
'rsyslog'.
2013/02/27 20:52:59 ossec-testrule(1202): ERROR: Configuration error at
'/etc/decoder.xml'. Exiting.
thanks&Best Regards
From: dan (ddp)
Date: 2013-02-27 20:40
To: ossec-list
Subject: Re: [ossec-list] how to write decoder?
On Feb 27, 2013 7:27 AM, "root" <[email protected]> wrote:
>
> hi,all
>
> now, i write the decoder like this
>
> <decoder name="rsyslog">
> <prematch>^(.*)\s+rsyslogd-pstats:\s+(.*)</prematch>
This looks like an attempt at regex. I think the syntax is off, but I can't be
sure without a sample.
> <order>extra_data</order>
You need a <regex>.
> </decoder>
>
> but when i restart the ossec
>
> 2013/02/27 20:04:21 ossec-analysisd(2107): ERROR: Decoder configuration
> error: 'rsyslog'.
> 2013/02/27 20:04:21 ossec-testrule(1202): ERROR: Configuration error at
> '/etc/decoder.xml'. Exiting.
>
> how can i do what?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
