<decoder name="rsyslog-pstats">
<program_name>^rsyslogd-pstats</program_name>
</decoder>
<decoder name="rsyslog-pstats-submit">
<parent>rsyslog-pstats</parent>
<prematch offset="after_parent">^\S+\p\S+:\d+\p: submitted=</prematch>
<regex offset="after_prematch">^(\d+)</regex>
<order>extra_data</order>
</decoder>
<decoder name="rsyslog-pstats-main">
<parent>rsyslog-pstats</parent>
<prematch offset="after_parent">^main Q: </prematch>
<regex offset="after_prematch">^\.+ discarded.full=(\d+)
discarded.nf=(\d+)</regex>
<order>extra_data, extra_data</order>
</decoder>
<decoder name="rsyslog-pstats-action">
<parent>rsyslog-pstats</parent>
<prematch offset="after_parent">^action </prematch>
<regex offset="after_prematch">^(\d+): processed=(\d+) failed=(\d+)</regex>
<order>action, extra_data, extra_data</order>
</decoder>
On Tue, Mar 5, 2013 at 6:21 PM, dan (ddp) <[email protected]> wrote:
> On Mon, Mar 4, 2013 at 11:30 PM, root <[email protected]> wrote:
>>
>> now, i wrote like this
>>
>>
>>
>>
>> <decoder name="rsyslog-pstats-main">
>> <parent>rsyslog-pstats</parent>
>> <prematch>^main\sQ</prematch>
>> </decoder>
>>
>>
>> <decoder name="rsyslog-pstats-discarded-full">
>> <parent>rsyslog-pstats-main</parent>
>> <regex offset="after_parent">^\.*discarded\pfull=(\d+)\.*</regex>
>> <order>extra_data</order>
>> </decoder>
>>
>> <decoder name="rsyslog-pstats-discarded-nf">
>> <parent>rsyslog-pstats-main</parent>
>> <regex offset="after_parent">^\.*discarded\pnf=(\d+)\.*</regex>
>> <order>extra_data</order>
>> </decoder>
>>
>>
>> but server say
>>
>> 2013/03/05 12:27:03 ossec-analysisd(2101): ERROR: Parent decoder name
>> invalid: 'rsyslog-pstats-main'.
>
> My guess would be that a child cannot be a parent.
>
>> 2013/03/05 12:27:03 ossec-analysisd(2106): ERROR: Error adding decoder
>> plugin.
>> 2013/03/05 12:27:03 ossec-testrule(1202): ERROR: Configuration error at
>> '/etc/decoder.xml'. Exiting.
>> 2013/03/05 12:28:13 ossec-syscheckd: INFO: Starting syscheck scan.
>>
>>
>>
>>
>>
>> thanks&Best Regards
>>
>> From: root
>> Date: 2013-03-04 12:43
>> To: ossec-list
>> Subject: multiple OSSEC decoders on the same event has some problem
>> hi,all
>>
>> now,i want match this event
>>
>> 2013-03-04T12:39:54.901160+08:00 localhost rsyslogd-pstats: imudp(*:514):
>> submitted=0
>> 2013-03-04T12:39:54.901163+08:00 localhost rsyslogd-pstats: imudp(*:514):
>> submitted=0
>> 2013-03-04T12:39:54.901167+08:00 localhost rsyslogd-pstats: main Q: size=11
>> enqueued=13130 full=0 discarded.full=0 discarded.nf=0 maxqsize=1441
>> 2013-03-04T12:40:04.906896+08:00 localhost rsyslogd-pstats: imuxsock:
>> submitted=1568 ratelimit.discarded=0 ratelimit.numratelimiters=0
>> 2013-03-04T12:40:04.906918+08:00 localhost rsyslogd-pstats: action 1:
>> processed=10116 failed=0
>> 2013-03-04T12:40:04.906921+08:00 localhost rsyslogd-pstats: action 2:
>> processed=2393 failed=0
>> 2013-03-04T12:40:04.906923+08:00 localhost rsyslogd-pstats: action 3:
>> processed=35 failed=0
>> 2013-03-04T12:40:04.906925+08:00 localhost rsyslogd-pstats: action 4:
>> processed=2 failed=0
>> 2013-03-04T12:40:04.906926+08:00 localhost rsyslogd-pstats: action 5:
>> processed=32 failed=0
>> 2013-03-04T12:40:04.906928+08:00 localhost rsyslogd-pstats: action 6:
>> processed=0 failed=0
>> 2013-03-04T12:40:04.906930+08:00 localhost rsyslogd-pstats: action 7:
>> processed=0 failed=0
>> 2013-03-04T12:40:04.906931+08:00 localhost rsyslogd-pstats: action 8:
>> processed=0 failed=0
>>
>> i want match the all of the "failed" or "discarded" value
>>
>>
>> my decoder like this
>>
>>
>>
>> <decoder name="rsyslog-pstats">
>> <program_name>^rsyslogd-pstats</program_name>
>> </decoder>
>>
>> <!-- failed -->
>> <decoder name="rsyslog-pstats-failed">
>> <parent>rsyslog-pstats</parent>
>> <prematch>^action\s\d+</prematch>
>> <regex offset="after_prematch">^\.*failed=(\d+)</regex>
>> <order>extra_data</order>
>> </decoder>
>>
>> <!-- main Q -->
>> <decoder name="rsyslog-pstats-discarded">
>> <parent>rsyslog-pstats</parent>
>> <prematch>^main\sQ</prematch>
>> </decoder>
>>
>> <decoder name="rsyslog-pstats-discarded-full">
>> <parent>rsyslog-pstats-discarded</parent>
>> <regex offset="after_prematch">^\.*discarded\pfull=(\d+)\.*</regex>
>> <order>extra_data</order>
>> </decoder>
>>
>> <decoder name="rsyslog-pstats-discarded-nf">
>> <parent>rsyslog-pstats-discarded</parent>
>> <regex offset="after_prematch">^\.*discarded\pnf=(\d+)\.*</regex>
>> <order>extra_data</order>
>> </decoder>
>>
>> <!-- the end of rsyslog -->
>>
>> but,ossec say
>>
>> 2013/03/04 12:35:47 ossec-analysisd(2107): ERROR: Decoder configuration
>> error: 'rsyslog-pstats-discarded-full'.
>> 2013/03/04 12:35:47 ossec-testrule(1202): ERROR: Configuration error at
>> '/etc/decoder.xml'. Exiting.
>>
>> i think this part has problem,but i do not kown why and how?
>>
>> <decoder name="rsyslog-pstats-discarded-full">
>> <parent>rsyslog-pstats-discarded</parent>
>> <regex offset="after_prematch">^\.*discarded\pfull=(\d+)\.*</regex>
>> <order>extra_data</order>
>> </decoder>
>>
>> <decoder name="rsyslog-pstats-discarded-nf">
>> <parent>rsyslog-pstats-discarded</parent>
>> <regex offset="after_prematch">^\.*discarded\pnf=(\d+)\.*</regex>
>> <order>extra_data</order>
>> </decoder>
>>
>>
>>
>>
>>
>> thanks&Best Regards
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
