Okay I'm starting to understand a bit more. >So, let's create a decoder: ><decoder name="bnc3"> > <program_name>^logger</program_name> > <prematch>^::\S+:\S+:\S+: </prematch> ></decoder>
>This one is pretty simple. Just looks for the program name logger, and >a simple prematch. So just to clarify, what exactly is the <prematch> looking for in your example? My understanding of \S+ is a string of characters and symbols. I don't understand how "::\S+:\S+:\S+:" translates into the whole log line, unless you are only matching for "::test-bnc3-web1:21197:- 1222399088:" Given the above is true, I have another question. If I used <regex offset="after_prematch">, would I know be parsing for what comes *after* my initial prematch? So my after_prematch would be looking for " BNCServer not found on test-bnc3-reston:9305 - couldn't open socket: connection refused'? Or would that be after_regex? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
