On Mon, Oct 14, 2013 at 10:31 AM, Jared <[email protected]> wrote: > I have several log instances where the predecoding kinda gets in the way. > > Example: > > Oct 14 13:17:56 ip-10-230-1-60 HubSpotService[1408]: > HubSpotService@ip-10-10-10-10,ErrorCode=2300,ErrorMessage=Network problem, > connection unexpectedly closed by peer > > **Phase 1: Completed pre-decoding. > full event: 'Oct 14 13:17:56 ip-10-10-10-10 HubSpotService[1408]: > HubSpotService@ip-20-20-20-20,ErrorCode=2300,ErrorMessage=Network problem, > connection unexpectedly closed by peer' > hostname: 'ip-10-10-10-10' > program_name: 'HubSpotService' > log: > 'HubSpotService@ip-20-20-20-20,ErrorCode=2300,ErrorMessage=Network problem, > connection unexpectedly closed by peer' > **Phase 2: Completed decoding. > No decoder matched. > **Phase 3: Completed filtering (rules). > Rule id: '1002' > Level: '2' > Description: 'Unknown problem somewhere in the system.' > **Alert to be generated. > I would like the event to be: > > Oct 14 13:17:56 = Date > ip-10-10-10-10 = Hostname of generating server > HubSpotService[1408]: = dynamic application (about 20 possibilities here so > far) > HubSpotService@ip-20-20-20-20, > ErrorCode=2300, > ErrorMessage=Network problem, connection unexpectedly closed by peer' > > I want to prevent the pre-decoding from processing this the way that it is. > > I want to focus on > Extra_data = (HubSpotService) > hostname = (ip-10-10-10-10) > Extra_data = ErrorMessage=(Network problem, connection unexpectedly closed > by peer)' > But I cant seem to write a decoder that gets around the pre-decoding. I am > unable to write a decoder that will match to this event at all, and I have > several that where I am in the same boat. > > Jared >
You can't really do what you want without modifying the code. Until then, try this: <decoder name="simple-hub"> <program_name>hubspotservice</program_name> <regex>^(\S+)@(\S+),ErrorCode=(\d+),ErrorMessage=(\.+)$</regex> <order>extra_data,srcip,id,extra_data</order> </decoder> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
