<decoder name="D2C_WAP">
<prematch>^\d\d:\d\d:\d\d,\d\d\d ERROR </prematch>
</decoder>
<decoder name="D2C_WAP_Fetch_Failed">
<parent>D2C_WAP</parent>
<regex offset="after_parent">[DataSourceGetConJob:\d+] [User:
(\.+)] [Id: \d+][DataSource]\S+ Connection </regex>
<order>user</order>
</decoder>
<decoder name="D2C_WAP_Fetch_Failed">
<parent>D2C_WAP</parent>
<regex>of (\S+) is failed$</regex>
<order>extra_data</order>
</decoder>
On Wed, Oct 2, 2013 at 9:03 AM, Jared <[email protected]> wrote:
> I am missing something subtle on the order of operations, but just dont see
> it.
>
> What is the correct way to do the decoder here to get each of the logs (in
> green) to provide the >user,extra_data<?
> Does the base decoder "D2C_WAP" need to be more granular / extended futher
> into the log?
>
> Here are my decoders:
>
> <decoder name="D2C_WAP">
> <prematch>^\d\d:\d\d:\d\d,\d\d\d ERROR </prematch>
> </decoder>
>
> <!-- 12:20:35,932 ERROR [DataSourceGetConJob:999] [User:
> [email protected]] [Id: 9999999][DataSource]Get Connection for Schema
> Fetch of MSDYNCRM is failed -->
> <decoder name="D2C_WAP_Fetch_Failed">
> <parent>D2C_WAP</parent>
> <regex offset="after_parent">[DataSourceGetConJob:\d+] [User: (\.+)] [Id:
> \d+][DataSource]Get Connection for Schema Fetch of (\.+) is failed</regex>
> <order>user,extra_data</order>
> </decoder>
> <!-- 11:44:06,185 ERROR [DataSourceGetConJob:999] [User:
> [email protected]] [Id: 9999999][DataSource]Test Connection of MSDYNCRM
> is failed -->
>
> <decoder name="D2C_WAP_Test_Datasource_failed">
> <parent>D2C_WAP</parent>
> <regex offset="after_parent">[DataSourceGetConJob:\d+] [User: (\.+)] [Id:
> \d+][DataSource]Test Connection of (\.+) is failed</regex>
> <order>user,extra_data</order>
>
> Result of ossec-logtest:
>
> 12:20:35,932 ERROR [DataSourceGetConJob:999] [User: [email protected]]
> [Id: 9999999][DataSource]Get Connection for Schema Fetch of MSDYNCRM is
> failed
>
> **Phase 1: Completed pre-decoding.
> full event: '12:20:35,932 ERROR [DataSourceGetConJob:999] [User:
> [email protected]] [Id: 9999999][DataSource]Get Connection for Schema
> Fetch of MSDYNCRM is failed'
> hostname: 'ip-300-330-0-110'
> program_name: '(null)'
> log: '12:20:35,932 ERROR [DataSourceGetConJob:999] [User:
> [email protected]] [Id: 9999999][DataSource]Get Connection for Schema
> Fetch of MSDYNCRM is failed'
> **Phase 2: Completed decoding.
> decoder: 'D2C_WAP'
> dstuser: '[email protected]'
> extra_data: 'MSDYNCRM'
> **Phase 3: Completed filtering (rules).
> Rule id: '1002'
> Level: '2'
> Description: 'Unknown problem somewhere in the system.'
> **Alert to be generated.
>
> 11:44:06,185 ERROR [DataSourceGetConJob:999] [User: [email protected]]
> [Id: 9999999][DataSource]Test Connection of MSDYNCRM is failed
>
> **Phase 1: Completed pre-decoding.
> full event: '11:44:06,185 ERROR [DataSourceGetConJob:999] [User:
> [email protected]] [Id: 9999999][DataSource]Test Connection of MSDYNCRM
> is failed'
> hostname: 'ip-300-330-0-110'
> program_name: '(null)'
> log: '11:44:06,185 ERROR [DataSourceGetConJob:999] [User:
> [email protected]] [Id: 9999999][DataSource]Test Connection of MSDYNCRM
> is failed'
> **Phase 2: Completed decoding.
> decoder: 'D2C_WAP'
> **Phase 3: Completed filtering (rules).
> Rule id: '1002'
> Level: '2'
> Description: 'Unknown problem somewhere in the system.'
> **Alert to be generated.
> Thanks - Jared
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
