So to verify, ^ translates to 'this is the first character/word in the line'.
I have not run it through logtest - before I do I wanted to attempt my best efforts at getting the syntax correct. I believe you ran the decoder through the logtest and it came up as working. I'm just having a hard time piecing together the rules to match the decoder because I am not getting alerts when the rules should be getting triggered. So what tags would match the extra_data in the decoder? Should I be looking at any other tags in my rules? On Friday, July 5, 2013 1:36:04 PM UTC-4, dan (ddpbsd) wrote: > > On Fri, Jul 5, 2013 at 1:30 PM, David Blanton > <[email protected] <javascript:>> wrote: > > Here is what I currently have for rules, and for reference I will link > > my decoder. > > > > <group name="bnc3prod"> > > <rule id="100002" level="0"> > > <decoded_as>bnc3prod</decoded_as> > > <description>BATCH FAILED: error generated </description> > > </rule> > > > > <rule id="100003" level="10"> > > <if_sid>100002</if_sid> > > <status>^FAILED</status> > > <match>^301</match> > > <description>FAILED: 301 PKZIP file or court disk</description> > > </rule> > > > > <rule id=”100004” level “10”> > > <if_sid>100002</if_sid> > > <status>^FAILED</status> > > <match>^302</tmatch> > > <description>FAILED: 302 Inconsistent case#</description> > > </rule> > > > > <rule id=”100005” level “10”> > > <if_sid>100002</if_sid> > > <status>^FAILED</status> > > <match>^303</match> > > <description>Number of fields in record incorrect</description> > > </rule> > > > > </group> > > > > This is just an example, I have more rules, it's just I believe 3 > > gives you guys the idea. > > > > Here is the decoder: > > > > <decoder name="bnc3prod"> > > <prematch>^\d+-\d+: \S+ \d+-\d+ \d+-\d+ \S+ </prematch> > > <regex offset="after_prematch">^(\S+): \S(\d+)$</regex> > > <order>status, extra_data</order> > > </decoder> > > > > > > Now my question is, in the decoder file, I am seeing two things for > > the <program_name> tag. One with > > <program_name>^bnc3prod</program_name> and > > <program_name>bnc3prod</program_name>. Which one is correct? When > > would the "^" be used. Same goes for the <match> and <status> tag. > > Some use the ^ and others do not. > > > > I prefer using the "^" in program_name fields. If the first character > you have in <program_name> will always be the first character of the > program name, use the "^." > > > Also, does the <extra_data> in the decoder line up with <match>? > > > > It's hard to tell. I don't think you want the "^" in the <match> field > though. The number won't be the first character in the log message. > Have you run it through ossec-logtest? Does it work? > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
