Okay this is pretty weird. I wanted to start from scratch with the decoder
so I went back and added each piece to the decoder making sure that it
worked before proceeding to the next piece.
<prematch>^\w\s+\d+ \d\d:\d\d:\d\d</prematch>
This part works beautifully with: Aug 8 13:41:39
However, when I get to the next part, the logtest can't analyze the next
part, the server name. Even when I put in the actual server name. I tried
\S+-\S+-\S+ as well.
<prematch>^\w\s+\d+ \d\d:\d\d:\d\d|</prematch>
<prematch>^\w\s+\d+ \d\d:\d\d:\d\d test-bnc3-ctl</prematch>
**Phase 1: Completed pre-decoding.
full event: 'Aug 8 13:41:39 test-bnc3-ctl'
hostname: 'reston-cacti'
program_name: '(null)'
log: 'test-bnc3-ctl'
**Phase 2: Completed decoding.
No decoder matched.
The logtest is saying that the log is only test-bnc3-ctl, so now when I do
this:
<prematch>^\w\s+\d+ \d\d:\d\d:\d\d|</prematch>
<prematch>^\w\s+\d+ \d\d:\d\d:\d\d test-bnc3-ctl|</prematch>
<prematch>^test-bnc3-ctl</prematch>
**Phase 1: Completed pre-decoding.
full event: 'Aug 8 13:41:39 test-bnc3-ctl'
hostname: 'reston-cacti'
program_name: '(null)'
log: 'test-bnc3-ctl'
**Phase 2: Completed decoding.
decoder: 'bnc3server'
The logtest ignores the Aug 8 \d\d:\d\d:\d\d and only parses the log
'test-bnc3-ctl'. Regardless of me putting the full event in correct syntax
in the decoder.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
