On Mon, Jul 8, 2013 at 1:33 PM, David Blanton <[email protected]> wrote: > Here are the results, said decoder did not match and it picked up another > rule? Not sure where I'm going wrong with this one: > > ossec-testrule: Type one log per line. > > 119473-00001: P10500079pdfdoc0375.zip 0424-1 05-00079 pdfdoc > FAILED: -351 >
The spacing is very different in this rule than it was in the previous sample you sent. This works with both samples: <decoder name="bnc-decoder"> <prematch>^\d+-\d+: \S+ \d+-\d+\s+\d+-\d+\s+\S+\s+</prematch> <regex offset="after_prematch">^(\S+): \S(\d+)$</regex> <order>status, extra_data</order> </decoder> > > **Phase 1: Completed pre-decoding. > full event: '119473-00001: P10500079pdfdoc0375.zip 0424-1 05-00079 > pdfdoc FAILED: -351' > hostname: 'reston-cacti' > program_name: '(null)' > log: '119473-00001: P10500079pdfdoc0375.zip 0424-1 05-00079 > pdfdoc FAILED: -351' > > **Phase 2: Completed decoding. > No decoder matched. > > Trying rule: 100002 - BATCH FAILED: error generated (This is the rule I > made) > > *Rule 1002 matched. > *Trying child rules. > Trying rule: 1009 - Ignoring known false positives on rule 1002.. > > **Phase 3: Completed filtering (rules). > Rule id: '1002' > Level: '2' > Description: 'Unknown problem somewhere in the system.' > **Alert to be generated. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
