Ok, so if I understood what you mean, there is no other way to match complex expressions like "(error|access)(.|_)log(-[0-9]+)?" than enumerating all the possibilities?
Le jeudi 14 mars 2013 14:03:58 UTC+1, dan (ddpbsd) a écrit : > > On Thu, Mar 14, 2013 at 5:22 AM, grobs <[email protected] <javascript:>> > wrote: > > Hi everyone! > > > > I'm having an issue when using the pipe ("|") character in my regex > matching > > rules. > > As an example, I want to match error_log AND error.log so I wrote this > regex > > : <regex>error(\.|_)log</regex> > > You're using the character incorrectly, you probably want something like: > <regex>error_log|error.log</regex> > > > The problem is that when I test it, I have an error: > > > > cat /root/rule_tests/unknown_error.txt | /var/ossec/bin/ossec-logtest > > 2013/03/14 10:15:12 ossec-testrule: INFO: Reading local decoder file. > > 2013/03/14 10:15:12 ossec-analysisd(1450): ERROR: Syntax error on regex: > > 'error(\.|_)log': 7. > > 2013/03/14 10:15:12 ossec-testrule(1220): ERROR: Error loading the > rules: > > 'local_rules.xml'. > > > > I saw in this page that it is possible to use the "|" special char but I > > don't manage do use it properly. > > > > Do you have some info to give on that problem? > > > > Best regards > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
