Thank you again! " ...[rowsFetched=(\d+)</regex>" got rid of the "]"
Jared On Wed, Sep 18, 2013 at 12:03 PM, dan (ddp) <[email protected]> wrote: > On Wed, Sep 18, 2013 at 11:37 AM, Jared <[email protected]> wrote: > > I have the following log entry ( and the "[" was not my idea): > > > > 18-Sep-2013 13:16:20.054 CONFIG [Thread-17] > > [Bob][Marley][tokenString].[worker] > > > [success=true][ms=172][token=SomeCMD][maxFetchRows=555][paramCount=999][sqlText=SOMESTATEMENT...][sqlCommand=SOMESTATEMENT][rowsFetched=888] > > > > I have the following Decoder: > > > > <decoder name="D2C-CONFIG"> > > <prematch>^\d\d-\w\w\w-\d\d\d\d \d\d:\d\d:\d\d.\d\d\d CONFIG</prematch> > > </decoder> > > > > <decoder name="D2C-FetchRows"> > > <parent>D2C-CONFIG</parent> > > <regex offset="after_parent"> [(\S+)] [(\S+)][(\S+)][(\S+)].[(\S+)] > > > [success=(\S+)][ms=(\S+)][token=\S+][maxFetchRows=\S+][paramCount=\S+][sqlText=\S+][sqlCommand=\S+][rowsFetched=(\S+)]</regex> > > > > > <order>extra_data,user,extra_data,extra_data,extra_data,extra_data,extra_data,extra_data,extra_data,extra_data</order> > > </decoder> > > > > Which elicits the following results. > > > > > > ossec-testrule: Type one log per line. > > > > 18-Sep-2013 13:16:20.054 CONFIG [Thread-17] > > [Bob][Marley][tokenString].[worker] > > > [success=true][ms=172][token=SomeCMD][maxFetchRows=555][paramCount=999][sqlText=SOMESTATEMENT...][sqlCommand=SOMESTATEMENT][rowsFetched=888] > > > > > > **Phase 1: Completed pre-decoding. > > full event: '18-Sep-2013 13:16:20.054 CONFIG [Thread-17] > > [Bob][Marley][tokenString].[worker] > > > [success=true][ms=172][token=SomeCMD][maxFetchRows=555][paramCount=999][sqlText=SOMESTATEMENT...][sqlCommand=SOMESTATEMENT][rowsFetched=888]' > > hostname: 'ip-257-999-816-615' > > program_name: '(null)' > > log: '18-Sep-2013 13:16:20.054 CONFIG [Thread-17] > > [Bob][Marley][tokenString].[worker] > > > [success=true][ms=172][token=SomeCMD][maxFetchRows=555][paramCount=999][sqlText=SOMESTATEMENT...][sqlCommand=SOMESTATEMENT][rowsFetched=888]' > > > > **Phase 2: Completed decoding. > > decoder: 'D2C-CONFIG' > > extra_data: 'Thread-17' > > dstuser: 'Bob' > > extra_data: 'Marley' > > extra_data: 'tokenString' > > extra_data: 'worker' > > extra_data: 'true' > > extra_data: '172' > > extra_data: 'rowsFetched=888]' > > > > Questions: > > 1. Why does this decode as D2C-CONFIG as opposed to "D2C-FetchRows". > > "D2C-FetchRows" is a child decoder. The parent decoder is shown in the > decover field. > > > 2. The last line of the Phase 2 { extra_data: 'rowsFetched=888]' } why > is > > the closing bracket showing up there but not other places, and how do I > get > > rid of it? > > Try \p instead of that bracket in the regex. > > > 3. Is there a syntax that would extract 'Bob Marley' from [Bob][Marley] > in > > the original message? I have tried several iterations and always end up > with > > the brackets. > > > > You could get Bob, and Marley in different fields, but thre isn't a > way to remove the brackets from the 1 field (that I can think of). > > > > Thank you, > > > > > > Jared > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- Thank you, Jared R. Greene -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
