Am Donnerstag, 23. Januar 2014 20:09:06 UTC+1 schrieb dan (ddpbsd):
>
> On Thu, Jan 23, 2014 at 2:05 PM, SunboX <[email protected] <javascript:>>
> wrote:
> > Want to decode this log message:
> >
> > {"app":"OCP\\Share","message":"Sharing backend
> > OCA\\Contacts\\Share\\Addressbook not registered,
> > OCA\\Contacts\\Share\\Addressbook is already registered for
> > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}
> >
> > My ossec.conf file:
> >
> > <ossec_config>
> > <localfile>
> > <log_format>syslog</log_format>
> > <location>/var/www/path-to-owncloud/data/owncloud.log</location>
> > </localfile>
> > </ossec_config>
> >
> > And the local_decoder.xml file:
> >
> > <decoder name="owncloud">
> > <program_name></program_name>
> > <prematch>^{"app":[^}]*}</prematch>
>
> I don't see everything after the ":" in your log sample.
>
Hm, what do you mean with "everything"? ;)
The RegEx matches:
exactly: {"app":
than anything what is not a "}": [^}]*
and than exactly a "}": }
so it should match:
{"app":"OCP\\Share","message":"Sharing backend
OCA\\Contacts\\Share\\Addressbook not registered,
OCA\\Contacts\\Share\\Addressbook is already registered for
addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}
> > </decoder>
> >
> > Response from ossec-logtest:
> >
> > **Phase 1: Completed pre-decoding.
> > full event: '{"app":"OCP\\Share","message":"Sharing backend
> > OCA\\Contacts\\Share\\Addressbook not registered,
> > OCA\\Contacts\\Share\\Addressbook is already registered for
> > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}'
> > hostname: 'cloud'
> > program_name: '(null)'
> > log: '{"app":"OCP\\Share","message":"Sharing backend
> > OCA\\Contacts\\Share\\Addressbook not registered,
> > OCA\\Contacts\\Share\\Addressbook is already registered for
> > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}'
> >
> > **Phase 2: Completed decoding.
> > No decoder matched.
> >
> > Could you please point me in the right direction? How do I get the
> decoder
> > matching my log message? I tried many combinations of program_name and
> > prematch nothing did work.
> >
> > greetings
> > Sunny
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/groups/opt_out.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
