I am missing something subtle on the order of operations, but just dont see it. What is the correct way to do the decoder here to get each of the logs (in green) to provide the >user,extra_data<? Does the base decoder "D2C_WAP" need to be more granular / extended futher into the log? ** *Here are my decoders:* <decoder name="D2C_WAP"> <prematch>^\d\d:\d\d:\d\d,\d\d\d ERROR </prematch> </decoder>
<!-- 12:20:35,932 ERROR [DataSourceGetConJob:999] [User: [email protected]] [Id: 9999999][DataSource]Get Connection for Schema Fetch of MSDYNCRM is failed --> <decoder name="D2C_WAP_Fetch_Failed"> <parent>D2C_WAP</parent> <regex offset="after_parent">[DataSourceGetConJob:\d+] [User: (\.+)] [Id: \d+][DataSource]Get Connection for Schema Fetch of (\.+) is failed</regex> <order>user,extra_data</order> </decoder> <!-- 11:44:06,185 ERROR [DataSourceGetConJob:999] [User: [email protected]] [Id: 9999999][DataSource]Test Connection of MSDYNCRM is failed --> <decoder name="D2C_WAP_Test_Datasource_failed"> <parent>D2C_WAP</parent> <regex offset="after_parent">[DataSourceGetConJob:\d+] [User: (\.+)] [Id: \d+][DataSource]Test Connection of (\.+) is failed</regex> <order>user,extra_data</order> *Result of ossec-logtest:* 12:20:35,932 ERROR [DataSourceGetConJob:999] [User: [email protected]] [Id: 9999999][DataSource]Get Connection for Schema Fetch of MSDYNCRM is failed **Phase 1: Completed pre-decoding. full event: '12:20:35,932 ERROR [DataSourceGetConJob:999] [User: [email protected]] [Id: 9999999][DataSource]Get Connection for Schema Fetch of MSDYNCRM is failed' hostname: 'ip-300-330-0-110' program_name: '(null)' log: '12:20:35,932 ERROR [DataSourceGetConJob:999] [User: [email protected]] [Id: 9999999][DataSource]Get Connection for Schema Fetch of MSDYNCRM is failed' **Phase 2: Completed decoding. decoder: 'D2C_WAP' dstuser: '[email protected]' extra_data: 'MSDYNCRM' **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '2' Description: 'Unknown problem somewhere in the system.' **Alert to be generated. 11:44:06,185 ERROR [DataSourceGetConJob:999] [User: [email protected]] [Id: 9999999][DataSource]Test Connection of MSDYNCRM is failed **Phase 1: Completed pre-decoding. full event: '11:44:06,185 ERROR [DataSourceGetConJob:999] [User: [email protected]] [Id: 9999999][DataSource]Test Connection of MSDYNCRM is failed' hostname: 'ip-300-330-0-110' program_name: '(null)' log: '11:44:06,185 ERROR [DataSourceGetConJob:999] [User: [email protected]] [Id: 9999999][DataSource]Test Connection of MSDYNCRM is failed' **Phase 2: Completed decoding. decoder: 'D2C_WAP' **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '2' Description: 'Unknown problem somewhere in the system.' **Alert to be generated. Thanks - Jared -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
