hmmm. kiss.. keep it simple smart. Thanks Dan.
On Wed, Oct 2, 2013 at 9:23 AM, dan (ddp) <[email protected]> wrote: > <decoder name="D2C_WAP"> > <prematch>^\d\d:\d\d:\d\d,\d\d\d ERROR </prematch> > </decoder> > > <decoder name="D2C_WAP_Fetch_Failed"> > <parent>D2C_WAP</parent> > <regex offset="after_parent">[DataSourceGetConJob:\d+] [User: > (\.+)] [Id: \d+][DataSource]\S+ Connection </regex> > <order>user</order> > </decoder> > > <decoder name="D2C_WAP_Fetch_Failed"> > <parent>D2C_WAP</parent> > <regex>of (\S+) is failed$</regex> > <order>extra_data</order> > </decoder> > > On Wed, Oct 2, 2013 at 9:03 AM, Jared <[email protected]> wrote: > > I am missing something subtle on the order of operations, but just dont > see > > it. > > > > What is the correct way to do the decoder here to get each of the logs > (in > > green) to provide the >user,extra_data<? > > Does the base decoder "D2C_WAP" need to be more granular / extended > futher > > into the log? > > > > Here are my decoders: > > > > <decoder name="D2C_WAP"> > > <prematch>^\d\d:\d\d:\d\d,\d\d\d ERROR </prematch> > > </decoder> > > > > <!-- 12:20:35,932 ERROR [DataSourceGetConJob:999] [User: > > [email protected]] [Id: 9999999][DataSource]Get Connection for Schema > > Fetch of MSDYNCRM is failed --> > > <decoder name="D2C_WAP_Fetch_Failed"> > > <parent>D2C_WAP</parent> > > <regex offset="after_parent">[DataSourceGetConJob:\d+] [User: (\.+)] > [Id: > > \d+][DataSource]Get Connection for Schema Fetch of (\.+) is > failed</regex> > > <order>user,extra_data</order> > > </decoder> > > <!-- 11:44:06,185 ERROR [DataSourceGetConJob:999] [User: > > [email protected]] [Id: 9999999][DataSource]Test Connection of > MSDYNCRM > > is failed --> > > > > <decoder name="D2C_WAP_Test_Datasource_failed"> > > <parent>D2C_WAP</parent> > > <regex offset="after_parent">[DataSourceGetConJob:\d+] [User: (\.+)] > [Id: > > \d+][DataSource]Test Connection of (\.+) is failed</regex> > > <order>user,extra_data</order> > > > > Result of ossec-logtest: > > > > 12:20:35,932 ERROR [DataSourceGetConJob:999] [User: [email protected] > ] > > [Id: 9999999][DataSource]Get Connection for Schema Fetch of MSDYNCRM is > > failed > > > > **Phase 1: Completed pre-decoding. > > full event: '12:20:35,932 ERROR [DataSourceGetConJob:999] [User: > > [email protected]] [Id: 9999999][DataSource]Get Connection for Schema > > Fetch of MSDYNCRM is failed' > > hostname: 'ip-300-330-0-110' > > program_name: '(null)' > > log: '12:20:35,932 ERROR [DataSourceGetConJob:999] [User: > > [email protected]] [Id: 9999999][DataSource]Get Connection for Schema > > Fetch of MSDYNCRM is failed' > > **Phase 2: Completed decoding. > > decoder: 'D2C_WAP' > > dstuser: '[email protected]' > > extra_data: 'MSDYNCRM' > > **Phase 3: Completed filtering (rules). > > Rule id: '1002' > > Level: '2' > > Description: 'Unknown problem somewhere in the system.' > > **Alert to be generated. > > > > 11:44:06,185 ERROR [DataSourceGetConJob:999] [User: [email protected] > ] > > [Id: 9999999][DataSource]Test Connection of MSDYNCRM is failed > > > > **Phase 1: Completed pre-decoding. > > full event: '11:44:06,185 ERROR [DataSourceGetConJob:999] [User: > > [email protected]] [Id: 9999999][DataSource]Test Connection of > MSDYNCRM > > is failed' > > hostname: 'ip-300-330-0-110' > > program_name: '(null)' > > log: '11:44:06,185 ERROR [DataSourceGetConJob:999] [User: > > [email protected]] [Id: 9999999][DataSource]Test Connection of > MSDYNCRM > > is failed' > > **Phase 2: Completed decoding. > > decoder: 'D2C_WAP' > > **Phase 3: Completed filtering (rules). > > Rule id: '1002' > > Level: '2' > > Description: 'Unknown problem somewhere in the system.' > > **Alert to be generated. > > Thanks - Jared > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- Thank you, Jared R. Greene -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
