On Mar 4, 2013 5:41 AM, "root" <[email protected]> wrote: > > > hi > > i write rule like this > > <group name="rsyslog,"> > > <rule id="105001" level="0"> > <decoded_as>rsyslog-pstats</decoded_as> > <extra_data>^0</extra_data> > <description>rsyslog is right</description> > </rule> > > <rule id="105002" level="13"> > <decoded_as>rsyslog-pstats</decoded_as> > <extra_data>^1</extra_data> > <description>rsyslog is wrong</description> > </rule> >
You'll have to replace rule [12] with the correct information. The basic idea is to match any value, then eliminate the one you don't want to see. <rule 1> <match>submitted=</match> </rule 1> <rule 2 level="0"> <extra_data>0</extra_data> </rule 2> > > </group> > > > but the problem is if extra_data value like "21" can not match it.... > > > > > > > > > > thanks&Best Regards > > From: root > Date: 2013-03-04 17:08 > To: ossec-list > Subject: how can i match nonzero in rules? > hi, > > > now i has match "discarded " value in rsyslog-stats,i want monitoring this if > value is "0" no alert and if not alert it! > > so how can i do? > > > thanks&Best Regards > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
