On Wed, Oct 2, 2013 at 9:29 AM, Jared Greene <[email protected]> wrote: > hmmm. kiss.. keep it simple smart. > > Thanks Dan. >
The logs were similar enough that the decoding engine couldn't quite see the differences between them well enough (or I didn't have the patience to figure it out). So this seemed like the best option. > > On Wed, Oct 2, 2013 at 9:23 AM, dan (ddp) <[email protected]> wrote: >> >> <decoder name="D2C_WAP"> >> <prematch>^\d\d:\d\d:\d\d,\d\d\d ERROR </prematch> >> </decoder> >> >> <decoder name="D2C_WAP_Fetch_Failed"> >> <parent>D2C_WAP</parent> >> <regex offset="after_parent">[DataSourceGetConJob:\d+] [User: >> (\.+)] [Id: \d+][DataSource]\S+ Connection </regex> >> <order>user</order> >> </decoder> >> >> <decoder name="D2C_WAP_Fetch_Failed"> >> <parent>D2C_WAP</parent> >> <regex>of (\S+) is failed$</regex> >> <order>extra_data</order> >> </decoder> >> >> On Wed, Oct 2, 2013 at 9:03 AM, Jared <[email protected]> wrote: >> > I am missing something subtle on the order of operations, but just dont >> > see >> > it. >> > >> > What is the correct way to do the decoder here to get each of the logs >> > (in >> > green) to provide the >user,extra_data<? >> > Does the base decoder "D2C_WAP" need to be more granular / extended >> > futher >> > into the log? >> > >> > Here are my decoders: >> > >> > <decoder name="D2C_WAP"> >> > <prematch>^\d\d:\d\d:\d\d,\d\d\d ERROR </prematch> >> > </decoder> >> > >> > <!-- 12:20:35,932 ERROR [DataSourceGetConJob:999] [User: >> > [email protected]] [Id: 9999999][DataSource]Get Connection for Schema >> > Fetch of MSDYNCRM is failed --> >> > <decoder name="D2C_WAP_Fetch_Failed"> >> > <parent>D2C_WAP</parent> >> > <regex offset="after_parent">[DataSourceGetConJob:\d+] [User: (\.+)] >> > [Id: >> > \d+][DataSource]Get Connection for Schema Fetch of (\.+) is >> > failed</regex> >> > <order>user,extra_data</order> >> > </decoder> >> > <!-- 11:44:06,185 ERROR [DataSourceGetConJob:999] [User: >> > [email protected]] [Id: 9999999][DataSource]Test Connection of >> > MSDYNCRM >> > is failed --> >> > >> > <decoder name="D2C_WAP_Test_Datasource_failed"> >> > <parent>D2C_WAP</parent> >> > <regex offset="after_parent">[DataSourceGetConJob:\d+] [User: (\.+)] >> > [Id: >> > \d+][DataSource]Test Connection of (\.+) is failed</regex> >> > <order>user,extra_data</order> >> > >> > Result of ossec-logtest: >> > >> > 12:20:35,932 ERROR [DataSourceGetConJob:999] [User: >> > [email protected]] >> > [Id: 9999999][DataSource]Get Connection for Schema Fetch of MSDYNCRM is >> > failed >> > >> > **Phase 1: Completed pre-decoding. >> > full event: '12:20:35,932 ERROR [DataSourceGetConJob:999] [User: >> > [email protected]] [Id: 9999999][DataSource]Get Connection for Schema >> > Fetch of MSDYNCRM is failed' >> > hostname: 'ip-300-330-0-110' >> > program_name: '(null)' >> > log: '12:20:35,932 ERROR [DataSourceGetConJob:999] [User: >> > [email protected]] [Id: 9999999][DataSource]Get Connection for Schema >> > Fetch of MSDYNCRM is failed' >> > **Phase 2: Completed decoding. >> > decoder: 'D2C_WAP' >> > dstuser: '[email protected]' >> > extra_data: 'MSDYNCRM' >> > **Phase 3: Completed filtering (rules). >> > Rule id: '1002' >> > Level: '2' >> > Description: 'Unknown problem somewhere in the system.' >> > **Alert to be generated. >> > >> > 11:44:06,185 ERROR [DataSourceGetConJob:999] [User: >> > [email protected]] >> > [Id: 9999999][DataSource]Test Connection of MSDYNCRM is failed >> > >> > **Phase 1: Completed pre-decoding. >> > full event: '11:44:06,185 ERROR [DataSourceGetConJob:999] [User: >> > [email protected]] [Id: 9999999][DataSource]Test Connection of >> > MSDYNCRM >> > is failed' >> > hostname: 'ip-300-330-0-110' >> > program_name: '(null)' >> > log: '11:44:06,185 ERROR [DataSourceGetConJob:999] [User: >> > [email protected]] [Id: 9999999][DataSource]Test Connection of >> > MSDYNCRM >> > is failed' >> > **Phase 2: Completed decoding. >> > decoder: 'D2C_WAP' >> > **Phase 3: Completed filtering (rules). >> > Rule id: '1002' >> > Level: '2' >> > Description: 'Unknown problem somewhere in the system.' >> > **Alert to be generated. >> > Thanks - Jared >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- > Thank you, > > Jared R. Greene > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
