On Thu, Jan 23, 2014 at 2:19 PM, SunboX <[email protected]> wrote: > Am Donnerstag, 23. Januar 2014 20:09:06 UTC+1 schrieb dan (ddpbsd): >> >> On Thu, Jan 23, 2014 at 2:05 PM, SunboX <[email protected]> wrote: >> > Want to decode this log message: >> > >> > {"app":"OCP\\Share","message":"Sharing backend >> > OCA\\Contacts\\Share\\Addressbook not registered, >> > OCA\\Contacts\\Share\\Addressbook is already registered for >> > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"} >> > >> > My ossec.conf file: >> > >> > <ossec_config> >> > <localfile> >> > <log_format>syslog</log_format> >> > <location>/var/www/path-to-owncloud/data/owncloud.log</location> >> > </localfile> >> > </ossec_config> >> > >> > And the local_decoder.xml file: >> > >> > <decoder name="owncloud"> >> > <program_name></program_name> >> > <prematch>^{"app":[^}]*}</prematch> >> >> I don't see everything after the ":" in your log sample. > > > Hm, what do you mean with "everything"? ;) > > The RegEx matches: > > exactly: {"app": > than anything what is not a "}": [^}]* > and than exactly a "}": } > > so it should match: > > > {"app":"OCP\\Share","message":"Sharing backend > OCA\\Contacts\\Share\\Addressbook not registered, > OCA\\Contacts\\Share\\Addressbook is already registered for > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"} >
Welcome to OSSEC: http://ossec.net/doc/syntax/regex.html#or-regex-regex-syntax >> >> > </decoder> >> > >> > Response from ossec-logtest: >> > >> > **Phase 1: Completed pre-decoding. >> > full event: '{"app":"OCP\\Share","message":"Sharing backend >> > OCA\\Contacts\\Share\\Addressbook not registered, >> > OCA\\Contacts\\Share\\Addressbook is already registered for >> > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}' >> > hostname: 'cloud' >> > program_name: '(null)' >> > log: '{"app":"OCP\\Share","message":"Sharing backend >> > OCA\\Contacts\\Share\\Addressbook not registered, >> > OCA\\Contacts\\Share\\Addressbook is already registered for >> > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}' >> > >> > **Phase 2: Completed decoding. >> > No decoder matched. >> > >> > Could you please point me in the right direction? How do I get the >> > decoder >> > matching my log message? I tried many combinations of program_name and >> > prematch nothing did work. >> > >> > greetings >> > Sunny >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
