In your first email, I will suggest to have a program_name entry for logger first, before the prematch section, so phase 2 will be filled. -Stephane
On Fri, Aug 9, 2013 at 9:54 AM, David Blanton <[email protected]>wrote: > Okay this is pretty weird. I wanted to start from scratch with the decoder > so I went back and added each piece to the decoder making sure that it > worked before proceeding to the next piece. > > <prematch>^\w\s+\d+ \d\d:\d\d:\d\d</prematch> > > This part works beautifully with: Aug 8 13:41:39 > However, when I get to the next part, the logtest can't analyze the next > part, the server name. Even when I put in the actual server name. I tried > \S+-\S+-\S+ as well. > > <prematch>^\w\s+\d+ \d\d:\d\d:\d\d|</prematch> > <prematch>^\w\s+\d+ \d\d:\d\d:\d\d test-bnc3-ctl</prematch> > > > **Phase 1: Completed pre-decoding. > full event: 'Aug 8 13:41:39 test-bnc3-ctl' > hostname: 'reston-cacti' > program_name: '(null)' > log: 'test-bnc3-ctl' > > > **Phase 2: Completed decoding. > No decoder matched. > > The logtest is saying that the log is only test-bnc3-ctl, so now when I do > this: > > <prematch>^\w\s+\d+ \d\d:\d\d:\d\d|</prematch> > <prematch>^\w\s+\d+ \d\d:\d\d:\d\d test-bnc3-ctl|</prematch> > <prematch>^test-bnc3-ctl</prematch> > > **Phase 1: Completed pre-decoding. > full event: 'Aug 8 13:41:39 test-bnc3-ctl' > hostname: 'reston-cacti' > program_name: '(null)' > log: 'test-bnc3-ctl' > > **Phase 2: Completed decoding. > decoder: 'bnc3server' > > The logtest ignores the Aug 8 \d\d:\d\d:\d\d and only parses the log > 'test-bnc3-ctl'. Regardless of me putting the full event in correct syntax > in the decoder. > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
