so,thks i think that "extra_data" can match in rules after at <regex> :(
thanks&Best Regards 发件人: dan (ddp) 发送时间: 2013-02-28 19:32 收件人: ossec-list 主题: Re: [ossec-list] about ossec rules Regular Expression Syntax On Feb 28, 2013 6:26 AM, "root" <[email protected]> wrote: > > hi > > about this problem,look this > > my decoder is > > > <decoder name="rsyslog-pstats"> > <program_name>^rsyslogd-pstats</program_name> > </decoder> > You aren't decoding an extra_data entey here, so your rule will never match. The second example I wrote for you decoded this properly. > my testrule is > > <group name="local,rsyslog,"> > <rule id="1050001" level="7"> > <decoded_as>rsyslog-pstats</decoded_as> > <regex>^\S+\s+\d+:\s+\S+\s+failed=(\d+)</regex> > <extra_data>0</extra_data> > <description>Rsyslog Failed</description> > </rule> > </group> > > > log test > > [root@localhost bin]# ./ossec-logtest > 2013/02/28 17:15:30 ossec-testrule: INFO: Reading local decoder file. > 2013/02/28 17:15:30 ossec-testrule: INFO: Started (pid: 12165). > ossec-testrule: Type one log per line. > > 2013-02-27T19:06:08.807156+08:00 localhost rsyslogd-pstats: action 7: > processed=0 failed=0 > > > **Phase 1: Completed pre-decoding. > full event: '2013-02-27T19:06:08.807156+08:00 localhost > rsyslogd-pstats: action 7: processed=0 failed=0' > hostname: 'localhost' > program_name: 'rsyslogd-pstats' > log: 'action 7: processed=0 failed=0' > > **Phase 2: Completed decoding. > decoder: 'rsyslog-pstats' > > **Phase 3: Completed filtering (rules). > Rule id: '1002' > Level: '2' > Description: 'Unknown problem somewhere in the system.' > > > so,i think the rules has wrong,but i don't konw,what wrong with rule? > > > > thanks&Best > Regards > 发件人: root > 发送时间: 2013-02-28 15:40 > 收件人: ossec-list > 主题: 回复: about ossec rules Regular Expression Syntax > > and what means is > <extra_data> in rules? > support it Regular Expression Syntax ? > > now my rules is > > <group name="local,rsyslog,"> > <rule id="1050001" level="7"> > <decoded_as>rsyslog-pstats</decoded_as> > <regex>^\S+\s+\d+:\s+\S+\s+failed=(\d+)</regex> > <extra_data>^[1-9]+</extra_data> > <description>Rsyslog Failed</description> > </rule> > </group> > > look like can not work? > > > > > thanks&Best > Regards > > 发件人: root > 发送时间: 2013-02-28 15:33 > 收件人: ossec-list > 主题: about ossec rules Regular Expression Syntax > hi,all > > I got a question,that is about about ossec rules Regular Expression Syntax . > > we konw,when i want match the number,i can use "\d" or "\d+" > > but now,if i has string like this > > "failed=0"=="failed=(\d+)" > > i want exclude "0", i use "failed=([1-9]+)",can not match it.. > > how can i do? > > > > > thanks&Best > Regards > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
