I agree with you on the horrendous part. I've had a lot head banging moments dealing with these batches of files. Really isn't much I can do about it since we have db's that read them that way.
Okay thanks for clarifying. so a | acts as an and/or? Is there any particular reason to use the <parent> tag over | for decoders? Can you explain how the regex offset works? dan I will be more than willing to help you document the rules portion of OSSEC once I have a stronger understanding of it. On Monday, July 8, 2013 3:39:33 PM UTC-4, dan (ddpbsd) wrote: > > On Mon, Jul 8, 2013 at 3:36 PM, David Blanton > <[email protected] <javascript:>> wrote: > > Sorry, what I meant to say is, the error messages are not all formatted > the > > same. The two clearest examples I can find are FAILED: 301 and FAILED: > 351. > > > > 119441-00001: P21129970pdf0080267.zip 0970-2 11-29970 pdf008 > > FAILED: -351 > > 119441-00001: P21129970pdf0080267.zip 0420-3 (P21129970pdf0080267.zip) > > FAILED: -301 > > > > > > There is an extra \S+ in 'FAILED: 301' where '(P211......zip) resides > before > > 'FAILED: -301'. What I was asking was how are you writing a decoder > where it > > can address both different log messages? > > > > In the example I just sent that handles both of these horrendous log > samples, I use a "|" to create 2 different prematches that can work. > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
