On Mon, Mar 4, 2013 at 11:30 PM, root <[email protected]> wrote: > > now, i wrote like this > > > > > <decoder name="rsyslog-pstats-main"> > <parent>rsyslog-pstats</parent> > <prematch>^main\sQ</prematch> > </decoder> > > > <decoder name="rsyslog-pstats-discarded-full"> > <parent>rsyslog-pstats-main</parent> > <regex offset="after_parent">^\.*discarded\pfull=(\d+)\.*</regex> > <order>extra_data</order> > </decoder> > > <decoder name="rsyslog-pstats-discarded-nf"> > <parent>rsyslog-pstats-main</parent> > <regex offset="after_parent">^\.*discarded\pnf=(\d+)\.*</regex> > <order>extra_data</order> > </decoder> > > > but server say > > 2013/03/05 12:27:03 ossec-analysisd(2101): ERROR: Parent decoder name > invalid: 'rsyslog-pstats-main'.
My guess would be that a child cannot be a parent. > 2013/03/05 12:27:03 ossec-analysisd(2106): ERROR: Error adding decoder > plugin. > 2013/03/05 12:27:03 ossec-testrule(1202): ERROR: Configuration error at > '/etc/decoder.xml'. Exiting. > 2013/03/05 12:28:13 ossec-syscheckd: INFO: Starting syscheck scan. > > > > > > thanks&Best Regards > > From: root > Date: 2013-03-04 12:43 > To: ossec-list > Subject: multiple OSSEC decoders on the same event has some problem > hi,all > > now,i want match this event > > 2013-03-04T12:39:54.901160+08:00 localhost rsyslogd-pstats: imudp(*:514): > submitted=0 > 2013-03-04T12:39:54.901163+08:00 localhost rsyslogd-pstats: imudp(*:514): > submitted=0 > 2013-03-04T12:39:54.901167+08:00 localhost rsyslogd-pstats: main Q: size=11 > enqueued=13130 full=0 discarded.full=0 discarded.nf=0 maxqsize=1441 > 2013-03-04T12:40:04.906896+08:00 localhost rsyslogd-pstats: imuxsock: > submitted=1568 ratelimit.discarded=0 ratelimit.numratelimiters=0 > 2013-03-04T12:40:04.906918+08:00 localhost rsyslogd-pstats: action 1: > processed=10116 failed=0 > 2013-03-04T12:40:04.906921+08:00 localhost rsyslogd-pstats: action 2: > processed=2393 failed=0 > 2013-03-04T12:40:04.906923+08:00 localhost rsyslogd-pstats: action 3: > processed=35 failed=0 > 2013-03-04T12:40:04.906925+08:00 localhost rsyslogd-pstats: action 4: > processed=2 failed=0 > 2013-03-04T12:40:04.906926+08:00 localhost rsyslogd-pstats: action 5: > processed=32 failed=0 > 2013-03-04T12:40:04.906928+08:00 localhost rsyslogd-pstats: action 6: > processed=0 failed=0 > 2013-03-04T12:40:04.906930+08:00 localhost rsyslogd-pstats: action 7: > processed=0 failed=0 > 2013-03-04T12:40:04.906931+08:00 localhost rsyslogd-pstats: action 8: > processed=0 failed=0 > > i want match the all of the "failed" or "discarded" value > > > my decoder like this > > > > <decoder name="rsyslog-pstats"> > <program_name>^rsyslogd-pstats</program_name> > </decoder> > > <!-- failed --> > <decoder name="rsyslog-pstats-failed"> > <parent>rsyslog-pstats</parent> > <prematch>^action\s\d+</prematch> > <regex offset="after_prematch">^\.*failed=(\d+)</regex> > <order>extra_data</order> > </decoder> > > <!-- main Q --> > <decoder name="rsyslog-pstats-discarded"> > <parent>rsyslog-pstats</parent> > <prematch>^main\sQ</prematch> > </decoder> > > <decoder name="rsyslog-pstats-discarded-full"> > <parent>rsyslog-pstats-discarded</parent> > <regex offset="after_prematch">^\.*discarded\pfull=(\d+)\.*</regex> > <order>extra_data</order> > </decoder> > > <decoder name="rsyslog-pstats-discarded-nf"> > <parent>rsyslog-pstats-discarded</parent> > <regex offset="after_prematch">^\.*discarded\pnf=(\d+)\.*</regex> > <order>extra_data</order> > </decoder> > > <!-- the end of rsyslog --> > > but,ossec say > > 2013/03/04 12:35:47 ossec-analysisd(2107): ERROR: Decoder configuration > error: 'rsyslog-pstats-discarded-full'. > 2013/03/04 12:35:47 ossec-testrule(1202): ERROR: Configuration error at > '/etc/decoder.xml'. Exiting. > > i think this part has problem,but i do not kown why and how? > > <decoder name="rsyslog-pstats-discarded-full"> > <parent>rsyslog-pstats-discarded</parent> > <regex offset="after_prematch">^\.*discarded\pfull=(\d+)\.*</regex> > <order>extra_data</order> > </decoder> > > <decoder name="rsyslog-pstats-discarded-nf"> > <parent>rsyslog-pstats-discarded</parent> > <regex offset="after_prematch">^\.*discarded\pnf=(\d+)\.*</regex> > <order>extra_data</order> > </decoder> > > > > > > thanks&Best Regards > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
