On Thu, Jan 23, 2014 at 2:20 PM, dan (ddp) <[email protected]> wrote: > On Thu, Jan 23, 2014 at 2:19 PM, SunboX <[email protected]> wrote: >> Am Donnerstag, 23. Januar 2014 20:09:06 UTC+1 schrieb dan (ddpbsd): >>> >>> On Thu, Jan 23, 2014 at 2:05 PM, SunboX <[email protected]> wrote: >>> > Want to decode this log message: >>> > >>> > {"app":"OCP\\Share","message":"Sharing backend >>> > OCA\\Contacts\\Share\\Addressbook not registered, >>> > OCA\\Contacts\\Share\\Addressbook is already registered for >>> > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"} >>> > >>> > My ossec.conf file: >>> > >>> > <ossec_config> >>> > <localfile> >>> > <log_format>syslog</log_format> >>> > <location>/var/www/path-to-owncloud/data/owncloud.log</location> >>> > </localfile> >>> > </ossec_config> >>> > >>> > And the local_decoder.xml file: >>> > >>> > <decoder name="owncloud"> >>> > <program_name></program_name> >>> > <prematch>^{"app":[^}]*}</prematch> >>> >>> I don't see everything after the ":" in your log sample. >> >> >> Hm, what do you mean with "everything"? ;) >> >> The RegEx matches: >> >> exactly: {"app": >> than anything what is not a "}": [^}]* >> and than exactly a "}": } >> >> so it should match: >> >> >> {"app":"OCP\\Share","message":"Sharing backend >> OCA\\Contacts\\Share\\Addressbook not registered, >> OCA\\Contacts\\Share\\Addressbook is already registered for >> addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"} >> > > Welcome to OSSEC: http://ossec.net/doc/syntax/regex.html#or-regex-regex-syntax >
I haven't verified it, bu t it looks like prematch isn't regex enabled either: http://ossec.net/doc/syntax/head_decoders.html#element-decoder.prematch >>> >>> > </decoder> >>> > >>> > Response from ossec-logtest: >>> > >>> > **Phase 1: Completed pre-decoding. >>> > full event: '{"app":"OCP\\Share","message":"Sharing backend >>> > OCA\\Contacts\\Share\\Addressbook not registered, >>> > OCA\\Contacts\\Share\\Addressbook is already registered for >>> > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}' >>> > hostname: 'cloud' >>> > program_name: '(null)' >>> > log: '{"app":"OCP\\Share","message":"Sharing backend >>> > OCA\\Contacts\\Share\\Addressbook not registered, >>> > OCA\\Contacts\\Share\\Addressbook is already registered for >>> > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}' >>> > >>> > **Phase 2: Completed decoding. >>> > No decoder matched. >>> > >>> > Could you please point me in the right direction? How do I get the >>> > decoder >>> > matching my log message? I tried many combinations of program_name and >>> > prematch nothing did work. >>> > >>> > greetings >>> > Sunny >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an >>> > email to [email protected]. >>> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
