Re: [ossec-list] Help with ownCloud log decoder

Thu, 23 Jan 2014 11:09:31 -0800 

On Thu, Jan 23, 2014 at 2:05 PM, SunboX <[email protected]> wrote:
> Want to decode this log message:
>
> {"app":"OCP\\Share","message":"Sharing backend
> OCA\\Contacts\\Share\\Addressbook not registered,
> OCA\\Contacts\\Share\\Addressbook is already registered for
> addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}
>
> My ossec.conf file:
>
> <ossec_config>
>   <localfile>
>     <log_format>syslog</log_format>
>     <location>/var/www/path-to-owncloud/data/owncloud.log</location>
>   </localfile>
> </ossec_config>
>
> And the local_decoder.xml file:
>
> <decoder name="owncloud">
>   <program_name></program_name>
>   <prematch>^{"app":[^}]*}</prematch>

I don't see everything after the ":" in your log sample.

> </decoder>
>
> Response from ossec-logtest:
>
> **Phase 1: Completed pre-decoding.
>        full event: '{"app":"OCP\\Share","message":"Sharing backend
> OCA\\Contacts\\Share\\Addressbook not registered,
> OCA\\Contacts\\Share\\Addressbook is already registered for
> addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}'
>        hostname: 'cloud'
>        program_name: '(null)'
>        log: '{"app":"OCP\\Share","message":"Sharing backend
> OCA\\Contacts\\Share\\Addressbook not registered,
> OCA\\Contacts\\Share\\Addressbook is already registered for
> addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}'
>
> **Phase 2: Completed decoding.
>        No decoder matched.
>
> Could you please point me in the right direction? How do I get the decoder
> matching my log message? I tried many combinations of program_name and
> prematch nothing did work.
>
> greetings
> Sunny
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to