On Mon, Jul 8, 2013 at 3:36 PM, David Blanton <[email protected]> wrote: > Sorry, what I meant to say is, the error messages are not all formatted the > same. The two clearest examples I can find are FAILED: 301 and FAILED: 351. > > 119441-00001: P21129970pdf0080267.zip 0970-2 11-29970 pdf008 > FAILED: -351 > 119441-00001: P21129970pdf0080267.zip 0420-3 (P21129970pdf0080267.zip) > FAILED: -301 > > > There is an extra \S+ in 'FAILED: 301' where '(P211......zip) resides before > 'FAILED: -301'. What I was asking was how are you writing a decoder where it > can address both different log messages? >
In the example I just sent that handles both of these horrendous log samples, I use a "|" to create 2 different prematches that can work. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
