On Wed, Sep 18, 2013 at 11:37 AM, Jared <[email protected]> wrote:
> I have the following log entry ( and the "[" was not my idea):
>
> 18-Sep-2013 13:16:20.054 CONFIG [Thread-17]
> [Bob][Marley][tokenString].[worker]
> [success=true][ms=172][token=SomeCMD][maxFetchRows=555][paramCount=999][sqlText=SOMESTATEMENT...][sqlCommand=SOMESTATEMENT][rowsFetched=888]
>
> I have the following Decoder:
>
> <decoder name="D2C-CONFIG">
> <prematch>^\d\d-\w\w\w-\d\d\d\d \d\d:\d\d:\d\d.\d\d\d CONFIG</prematch>
> </decoder>
>
> <decoder name="D2C-FetchRows">
> <parent>D2C-CONFIG</parent>
> <regex offset="after_parent"> [(\S+)] [(\S+)][(\S+)][(\S+)].[(\S+)]
> [success=(\S+)][ms=(\S+)][token=\S+][maxFetchRows=\S+][paramCount=\S+][sqlText=\S+][sqlCommand=\S+][rowsFetched=(\S+)]</regex>
>
> <order>extra_data,user,extra_data,extra_data,extra_data,extra_data,extra_data,extra_data,extra_data,extra_data</order>
> </decoder>
>
> Which elicits the following results.
>
>
> ossec-testrule: Type one log per line.
>
> 18-Sep-2013 13:16:20.054 CONFIG [Thread-17]
> [Bob][Marley][tokenString].[worker]
> [success=true][ms=172][token=SomeCMD][maxFetchRows=555][paramCount=999][sqlText=SOMESTATEMENT...][sqlCommand=SOMESTATEMENT][rowsFetched=888]
>
>
> **Phase 1: Completed pre-decoding.
> full event: '18-Sep-2013 13:16:20.054 CONFIG [Thread-17]
> [Bob][Marley][tokenString].[worker]
> [success=true][ms=172][token=SomeCMD][maxFetchRows=555][paramCount=999][sqlText=SOMESTATEMENT...][sqlCommand=SOMESTATEMENT][rowsFetched=888]'
> hostname: 'ip-257-999-816-615'
> program_name: '(null)'
> log: '18-Sep-2013 13:16:20.054 CONFIG [Thread-17]
> [Bob][Marley][tokenString].[worker]
> [success=true][ms=172][token=SomeCMD][maxFetchRows=555][paramCount=999][sqlText=SOMESTATEMENT...][sqlCommand=SOMESTATEMENT][rowsFetched=888]'
>
> **Phase 2: Completed decoding.
> decoder: 'D2C-CONFIG'
> extra_data: 'Thread-17'
> dstuser: 'Bob'
> extra_data: 'Marley'
> extra_data: 'tokenString'
> extra_data: 'worker'
> extra_data: 'true'
> extra_data: '172'
> extra_data: 'rowsFetched=888]'
>
> Questions:
> 1. Why does this decode as D2C-CONFIG as opposed to "D2C-FetchRows".
"D2C-FetchRows" is a child decoder. The parent decoder is shown in the
decover field.
> 2. The last line of the Phase 2 { extra_data: 'rowsFetched=888]' } why is
> the closing bracket showing up there but not other places, and how do I get
> rid of it?
Try \p instead of that bracket in the regex.
> 3. Is there a syntax that would extract 'Bob Marley' from [Bob][Marley] in
> the original message? I have tried several iterations and always end up with
> the brackets.
>
You could get Bob, and Marley in different fields, but thre isn't a
way to remove the brackets from the 1 field (that I can think of).
> Thank you,
>
>
> Jared
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
