On Wed, Mar 20, 2013 at 9:40 AM, grobs <[email protected]> wrote: > Ok, so if I understood what you mean, there is no other way to match complex > expressions like "(error|access)(.|_)log(-[0-9]+)?" than enumerating all the > possibilities? >
That is correct. What part of the documentation made you think this was possible? I'd like to correct it asap. > Le jeudi 14 mars 2013 14:03:58 UTC+1, dan (ddpbsd) a écrit : >> >> On Thu, Mar 14, 2013 at 5:22 AM, grobs <[email protected]> wrote: >> > Hi everyone! >> > >> > I'm having an issue when using the pipe ("|") character in my regex >> > matching >> > rules. >> > As an example, I want to match error_log AND error.log so I wrote this >> > regex >> > : <regex>error(\.|_)log</regex> >> >> You're using the character incorrectly, you probably want something like: >> <regex>error_log|error.log</regex> >> >> > The problem is that when I test it, I have an error: >> > >> > cat /root/rule_tests/unknown_error.txt | /var/ossec/bin/ossec-logtest >> > 2013/03/14 10:15:12 ossec-testrule: INFO: Reading local decoder file. >> > 2013/03/14 10:15:12 ossec-analysisd(1450): ERROR: Syntax error on regex: >> > 'error(\.|_)log': 7. >> > 2013/03/14 10:15:12 ossec-testrule(1220): ERROR: Error loading the >> > rules: >> > 'local_rules.xml'. >> > >> > I saw in this page that it is possible to use the "|" special char but I >> > don't manage do use it properly. >> > >> > Do you have some info to give on that problem? >> > >> > Best regards >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
