Should have been: I want to focus on Extra_data = (HubSpotService) hostname = (ip-20-20-20-20) Extra_data = ErrorMessage=(Network problem, connection unexpectedly closed by peer)'
On Monday, October 14, 2013 10:31:49 AM UTC-4, Jared wrote: > I have several log instances where the predecoding kinda gets in the > way. > > Example: > > Oct 14 13:17:56 ip-10-230-1-60 HubSpotService[1408]: > HubSpotService@ip-10-10-10-10,ErrorCode=2300,ErrorMessage=Network problem, > connection unexpectedly closed by peer > > **Phase 1: Completed pre-decoding. > full event: 'Oct 14 13:17:56 ip-10-10-10-10 HubSpotService[1408]: > HubSpotService@ip-20-20-20-20,ErrorCode=2300,ErrorMessage=Networkproblem, > connection unexpectedly closed by peer' > hostname: 'ip-10-10-10-10' > program_name: 'HubSpotService' > log: > 'HubSpotService@ip-20-20-20-20,ErrorCode=2300,ErrorMessage=Networkproblem, > connection unexpectedly closed by peer' > **Phase 2: Completed decoding. > No decoder matched. > **Phase 3: Completed filtering (rules). > Rule id: '1002' > Level: '2' > Description: 'Unknown problem somewhere in the system.' > **Alert to be generated. > I would like the event to be: > > Oct 14 13:17:56 = Date > ip-10-10-10-10 = Hostname of generating server > HubSpotService[1408]: = dynamic application (about 20 possibilities here > so far) > HubSpotService@ip-20-20-20-20, > ErrorCode=2300, > ErrorMessage=Network problem, connection unexpectedly closed by peer' > > I want to prevent the pre-decoding from processing this the way that it > is. > > I want to focus on > Extra_data = (HubSpotService) > hostname = (ip-10-10-10-10) > Extra_data = ErrorMessage=(Network problem, connection unexpectedly > closed by peer)' > But I cant seem to write a decoder that gets around the pre-decoding. I am > unable to write a decoder that will match to this event at all, and I have > several that where I am in the same boat. > > Jared > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
