Sorry about that. It may have been the Google Groups text box that threw it off.
On Monday, July 8, 2013 1:38:29 PM UTC-4, dan (ddpbsd) wrote: > > On Mon, Jul 8, 2013 at 1:33 PM, David Blanton > <[email protected] <javascript:>> wrote: > > Here are the results, said decoder did not match and it picked up > another > > rule? Not sure where I'm going wrong with this one: > > > > ossec-testrule: Type one log per line. > > > > 119473-00001: P10500079pdfdoc0375.zip 0424-1 05-00079 pdfdoc > > FAILED: -351 > > > > The spacing is very different in this rule than it was in the previous > sample you sent. This works with both samples: > > <decoder name="bnc-decoder"> > <prematch>^\d+-\d+: \S+ \d+-\d+\s+\d+-\d+\s+\S+\s+</prematch> > <regex offset="after_prematch">^(\S+): \S(\d+)$</regex> > <order>status, extra_data</order> > </decoder> > > > > > > **Phase 1: Completed pre-decoding. > > full event: '119473-00001: P10500079pdfdoc0375.zip 0424-1 > 05-00079 > > pdfdoc FAILED: -351' > > hostname: 'reston-cacti' > > program_name: '(null)' > > log: '119473-00001: P10500079pdfdoc0375.zip 0424-1 05-00079 > > pdfdoc FAILED: -351' > > > > **Phase 2: Completed decoding. > > No decoder matched. > > > > Trying rule: 100002 - BATCH FAILED: error generated (This is the rule I > > made) > > > > *Rule 1002 matched. > > *Trying child rules. > > Trying rule: 1009 - Ignoring known false positives on rule 1002.. > > > > **Phase 3: Completed filtering (rules). > > Rule id: '1002' > > Level: '2' > > Description: 'Unknown problem somewhere in the system.' > > **Alert to be generated. > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
