On Mon, Jul 8, 2013 at 2:40 PM, David Blanton <[email protected]> wrote: > 119443-00001: P10500079pdfdoc0375.zip 0424-1 05-00079 pdfdoc > FAILED: -351 > > From the log will come up as my 'parent' rule. > > > **Phase 3: Completed filtering (rules). > Rule id: '100002' > Level: '4' > Description: 'BATCH FAILED: error generated ' > **Alert to be generated. > > (RULES local_rules.xml) > > > <group name="bnc3prod"> > <rule id="100002" level="4"> > <decoded_as>bnc3prod</decoded_as> > <description>BATCH FAILED: error generated </description> > </rule> > > <rule id="100052" level="10"> > <if_sid>100002</if_sid> > <status>FAILED</status> > <match>351</match> > <description>FAILED 351: PDF error</description> > </rule> > > But I think it is failing at the <status></status. > > Also it is my mistake for assuming all error logs had the same format. > > FAILED 301 outputs this in reduce.%m%d > > 119442-00001: P21129970pdf0080267.zip 0420-3 (P21129970pdf0080267.zip) > FAILED: -301 >
This seems to cover this message as well as the previous ones: <decoder name="bnc-decoder"> <prematch>^\d+-\d+: \S+ \d+-\d+\s+\d+-\d+\s+\S+|</prematch> <prematch>^\d+-\d+: \S+ \d+-\d+\s+\(\S+\)</prematch> <regex offset="after_prematch">(\S+): \S(\d+)$</regex> <order>status, extra_data</order> </decoder> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
