[ossec-list] about ossec rules Regular Expression Syntax

Thu, 28 Feb 2013 03:26:59 -0800 

hi

about this problem,look this

my decoder is


<decoder name="rsyslog-pstats">
  <program_name>^rsyslogd-pstats</program_name>
</decoder>

my testrule is

<group name="local,rsyslog,">
  <rule id="1050001" level="7">
    <decoded_as>rsyslog-pstats</decoded_as>
    <regex>^\S+\s+\d+:\s+\S+\s+failed=(\d+)</regex>
<extra_data>0</extra_data>
    <description>Rsyslog Failed</description>
  </rule>
</group>


log test

[root@localhost bin]# ./ossec-logtest
2013/02/28 17:15:30 ossec-testrule: INFO: Reading local decoder file.
2013/02/28 17:15:30 ossec-testrule: INFO: Started (pid: 12165).
ossec-testrule: Type one log per line.

2013-02-27T19:06:08.807156+08:00 localhost rsyslogd-pstats: action 7: 
processed=0 failed=0


**Phase 1: Completed pre-decoding.
       full event: '2013-02-27T19:06:08.807156+08:00 localhost rsyslogd-pstats: 
action 7: processed=0 failed=0'
       hostname: 'localhost'
       program_name: 'rsyslogd-pstats'
       log: 'action 7: processed=0 failed=0'

**Phase 2: Completed decoding.
       decoder: 'rsyslog-pstats'

**Phase 3: Completed filtering (rules).
       Rule id: '1002'
       Level: '2'
       Description: 'Unknown problem somewhere in the system.'
            

so,i think the rules has wrong,but i don't konw,what wrong with rule?



                                                             thanks&Best Regards
发件人: root
发送时间: 2013-02-28 15:40
收件人: ossec-list
主题: 回复: about ossec rules Regular Expression Syntax

 and  what means is 
<extra_data> in rules?
support it Regular Expression Syntax ?

now my rules is

<group name="local,rsyslog,">
  <rule id="1050001" level="7">
    <decoded_as>rsyslog-pstats</decoded_as>
    <regex>^\S+\s+\d+:\s+\S+\s+failed=(\d+)</regex>
<extra_data>^[1-9]+</extra_data>
    <description>Rsyslog Failed</description>
  </rule>
</group>

look like can not work?




                                                             thanks&Best Regards

发件人: root
发送时间: 2013-02-28 15:33
收件人: ossec-list
主题: about ossec rules Regular Expression Syntax
hi,all

I got a question,that is about   about ossec rules Regular Expression Syntax .

we konw,when i want match the number,i can use "\d" or "\d+"

but now,if i has string like this

"failed=0"=="failed=(\d+)"

i want exclude "0", i use "failed=([1-9]+)",can not match it..

how can i do?




                                                             thanks&Best Regards

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to