On Mon, Jul 1, 2013 at 3:04 PM, David Blanton <[email protected]> wrote: > Ah I see. so \S+ is a string, and \w+ is a character, and \d+ is a numeric > variable, and \s+ is a space? >
\S is a non-whitespace character. \S+ is 1 or more non-whitespace characters. \w is a word. \w+ is 1 or more words. \d is a number, \d+ is 1 or more numbers. \s is a space, \s+ is 1 or more spaces. http://ossec.net/doc/syntax/regex.html#or-regex-regex-syntax > > One last quick question - my rule for the decoder seems to be caught up at > line 36 according to ossec.log > > local_rule.xml > > group name=”bnc3prod”> > (this is line 36)<rule id=”100002” level=”10”> Your double quotes look odd, but a copy/paste the rule into vi worked fine for me. > <decoded_as>bnc3prod</decoded_as> > <description>FAILED: generated in logs</description> > </rule> > > > 2013/07/01 14:57:55 ossec-testrule: INFO: Reading local decoder file. > 2013/07/01 14:57:55 ossec-analysisd(1226): ERROR: Error reading XML file > 'rules//local_rules.xml': XMLERR: Attribute 'name' not followed by a " or '. > (line 36). > 2013/07/01 14:57:55 ossec-testrule(1220): ERROR: Error loading the rules: > 'local_rules.xml'. > 2013/07/01 14:58:28 ossec-testrule: INFO: Reading local decoder file. > 2013/07/01 14:58:28 ossec-analysisd(1226): ERROR: Error reading XML file > 'rules//local_rules.xml': XMLERR: Attribute 'id' not followed by a " or '. > (line 37). > > > Am I missing something? > > > > On Monday, July 1, 2013 2:54:51 PM UTC-4, dan (ddpbsd) wrote: >> >> On Mon, Jul 1, 2013 at 2:09 PM, David Blanton >> <[email protected]> wrote: >> >> <regex offset="after_prematch">^(\S+) >> >>: \S(\d+)$</regex> >> > >> > Mind if I ask why for the regex offset you would want a space : >> > space(digital)? >> > >> >> Because FAILED is not a number. My regex says: >> ^ - This is the beginning of the string we will look at. The character >> following this will be the FIRST character. >> (\S+): - Any non-whitespace string followed by a :. In this case >> FAILED is what we are looking for. >> \S - I put this in because of the "-," I don't know if all of your >> samples will have this or not. In fact, if one of your messages does >> not have the "-" this regex will not work. >> (\d+) - any number, in the example you gave 351. >> $ - Signifies the end of the string. The character to the immediate >> left of the $ will be the last character in the string. >> >> >> > Wouldn't it be more like <reg>^\d+:\S(\d+)$? >> > >> > Also what does the '$' sign mean? >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
