On Thu, Mar 14, 2013 at 5:22 AM, grobs <[email protected]> wrote: > Hi everyone! > > I'm having an issue when using the pipe ("|") character in my regex matching > rules. > As an example, I want to match error_log AND error.log so I wrote this regex > : <regex>error(\.|_)log</regex>
You're using the character incorrectly, you probably want something like: <regex>error_log|error.log</regex> > The problem is that when I test it, I have an error: > > cat /root/rule_tests/unknown_error.txt | /var/ossec/bin/ossec-logtest > 2013/03/14 10:15:12 ossec-testrule: INFO: Reading local decoder file. > 2013/03/14 10:15:12 ossec-analysisd(1450): ERROR: Syntax error on regex: > 'error(\.|_)log': 7. > 2013/03/14 10:15:12 ossec-testrule(1220): ERROR: Error loading the rules: > 'local_rules.xml'. > > I saw in this page that it is possible to use the "|" special char but I > don't manage do use it properly. > > Do you have some info to give on that problem? > > Best regards > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
