On Feb 28, 2013 6:26 AM, "root" <[email protected]> wrote: > > > and what means is > <extra_data> in rules? > support it Regular Expression Syntax ? > > now my rules is > > <group name="local,rsyslog,"> > <rule id="1050001" level="7"> > <decoded_as>rsyslog-pstats</decoded_as> > <regex>^\S+\s+\d+:\s+\S+\s+failed=(\d+)</regex> > <extra_data>^[1-9]+</extra_data> > <description>Rsyslog Failed</description> > </rule> > </group> > > look like can not work? > >
The regular expression syntax supported by ossec is documented on the site. > > > thanks&Best Regards > > 发件人: root > 发送时间: 2013-02-28 15:33 > 收件人: ossec-list > 主题: about ossec rules Regular Expression Syntax > hi,all > > I got a question,that is about about ossec rules Regular Expression Syntax . > > we konw,when i want match the number,i can use "\d" or "\d+" > > but now,if i has string like this > > "failed=0"=="failed=(\d+)" > > i want exclude "0", i use "failed=([1-9]+)",can not match it.. > > how can i do? > > > > > thanks&Best Regards > > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
