Ah I see. so \S+ is a string, and \w+ is a character, and \d+ is a numeric variable, and \s+ is a space?
One last quick question - my rule for the decoder seems to be caught up at line 36 according to ossec.log local_rule.xml group name=”bnc3prod”> (this is line 36)<rule id=”100002” level=”10”> <decoded_as>bnc3prod</decoded_as> <description>FAILED: generated in logs</description> </rule> 2013/07/01 14:57:55 ossec-testrule: INFO: Reading local decoder file. 2013/07/01 14:57:55 ossec-analysisd(1226): ERROR: Error reading XML file 'rules//local_rules.xml': XMLERR: Attribute 'name' not followed by a " or '. (line 36). 2013/07/01 14:57:55 ossec-testrule(1220): ERROR: Error loading the rules: 'local_rules.xml'. 2013/07/01 14:58:28 ossec-testrule: INFO: Reading local decoder file. 2013/07/01 14:58:28 ossec-analysisd(1226): ERROR: Error reading XML file 'rules//local_rules.xml': XMLERR: Attribute 'id' not followed by a " or '. (line 37). Am I missing something? On Monday, July 1, 2013 2:54:51 PM UTC-4, dan (ddpbsd) wrote: > > On Mon, Jul 1, 2013 at 2:09 PM, David Blanton > <[email protected] <javascript:>> wrote: > >> <regex offset="after_prematch">^(\S+) > >>: \S(\d+)$</regex> > > > > Mind if I ask why for the regex offset you would want a space : > > space(digital)? > > > > Because FAILED is not a number. My regex says: > ^ - This is the beginning of the string we will look at. The character > following this will be the FIRST character. > (\S+): - Any non-whitespace string followed by a :. In this case > FAILED is what we are looking for. > \S - I put this in because of the "-," I don't know if all of your > samples will have this or not. In fact, if one of your messages does > not have the "-" this regex will not work. > (\d+) - any number, in the example you gave 351. > $ - Signifies the end of the string. The character to the immediate > left of the $ will be the last character in the string. > > > > Wouldn't it be more like <reg>^\d+:\S(\d+)$? > > > > Also what does the '$' sign mean? > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
