On Fri, Jul 5, 2013 at 1:30 PM, David Blanton <[email protected]> wrote: > Here is what I currently have for rules, and for reference I will link > my decoder. > > <group name="bnc3prod"> > <rule id="100002" level="0"> > <decoded_as>bnc3prod</decoded_as> > <description>BATCH FAILED: error generated </description> > </rule> > > <rule id="100003" level="10"> > <if_sid>100002</if_sid> > <status>^FAILED</status> > <match>^301</match> > <description>FAILED: 301 PKZIP file or court disk</description> > </rule> > > <rule id=”100004” level “10”> > <if_sid>100002</if_sid> > <status>^FAILED</status> > <match>^302</tmatch> > <description>FAILED: 302 Inconsistent case#</description> > </rule> > > <rule id=”100005” level “10”> > <if_sid>100002</if_sid> > <status>^FAILED</status> > <match>^303</match> > <description>Number of fields in record incorrect</description> > </rule> > > </group> > > This is just an example, I have more rules, it's just I believe 3 > gives you guys the idea. > > Here is the decoder: > > <decoder name="bnc3prod"> > <prematch>^\d+-\d+: \S+ \d+-\d+ \d+-\d+ \S+ </prematch> > <regex offset="after_prematch">^(\S+): \S(\d+)$</regex> > <order>status, extra_data</order> > </decoder> > > > Now my question is, in the decoder file, I am seeing two things for > the <program_name> tag. One with > <program_name>^bnc3prod</program_name> and > <program_name>bnc3prod</program_name>. Which one is correct? When > would the "^" be used. Same goes for the <match> and <status> tag. > Some use the ^ and others do not. >
I prefer using the "^" in program_name fields. If the first character you have in <program_name> will always be the first character of the program name, use the "^." > Also, does the <extra_data> in the decoder line up with <match>? > It's hard to tell. I don't think you want the "^" in the <match> field though. The number won't be the first character in the log message. Have you run it through ossec-logtest? Does it work? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
