On Sep 20, 2013 12:51 PM, "Paul Raines" <[email protected]> wrote: > > I understand why rule 1002 matches, I just didn't understand why it was applied to that log line in the first place. But if all decoders are applied to all log files, I guess that explains why. But it seems a very inefficient design. When one designates the access_log to be watched, one should be able to assign/limit what decoders are applied. >
The rule 1002 does not specify a decoder, so it applies to all messages (decoded or not). The only decoder that applies is the one that matches. Run the log message through ossec-logtest to find out which one that is. > My regex does have regex in it. It is the five "."s to match any character > That is not ossec regex. > I changed it to > > <match>HTTP/1.0" 200 </match> > > and this seems to work, but I don't understand why my <regex> did not work. > Because it is not ossec regex. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
