Having a little trouble with a particular decoder. While I was testing, I
tried several methods, using the ForceField example from the 2.7 ossec
manual.
Here is the log line:
Aug 8 13:41:39 test-bnc3-ctl logger: ::test-bnc3-web1:21197:-1222399088:
Attempt 12: BNCServer not found on test-bnc3-reston:9305 - couldn't open
socket: connection refused
<decoder name="bnc3server">
<prematch>^\w \d+ \d\d:\d\d:\d\d \S+ \w: ::\S+ \w \d+: \w \d+: \w+
BNCServer not found on \S+\s+- couldn't open \S+ \w+ connection
refused|</prematch>
<prematch>^\w \d+ \d\d:\d\d:\d\d \S+-\S+-\S+ /w:
::\S+-\S+-\S+:\d+:-\d+: \w \d+: \w+ BNCServer not found on
\S+-\S+-\S+:\d+\s+-\s+
\w \w \w: \w \w|</prematch>
<prematch>^\S+ \d+ \d\d:\d\d:\d\d \S+ \S+ \S+ \d+: \S+ \d+: \S+ \S+ \S+ \S+
\S+ \S+ \S+ \S+ \S+ \S+ \S+ \S+|</prematch>
<prematch>^\w \d+ \d\d:\d\d:\d\d \S+-\S+-\S+ /w: \w+ connection
refused</prematch>
</decoder>
**Phase 1: Completed pre-decoding.
full event: 'Aug 8 13:41:39 test-bnc3-ctl logger:
::test-bnc3-web1:21197:-1222399088: Attempt 12: BNCServer not found on
test-bnc3-reston:9305 - couldn't open socket: connection refused'
hostname: 'test-bnc3-ctl'
program_name: 'logger'
log: '::test-bnc3-web1:21197:-1222399088: Attempt 12: BNCServer
not found on test-bnc3-reston:9305 - couldn't open socket: connection
refused'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
What would the correct way to have symbols such as : and - syntaxed into
the decoder so it can parse lines such as these?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
