Oh, ok. It's a subset of regular regular expressions. ;) Thanks!

Am Donnerstag, 23. Januar 2014 20:21:29 UTC+1 schrieb dan (ddpbsd):
>
> On Thu, Jan 23, 2014 at 2:20 PM, dan (ddp) <[email protected] <javascript:>> 
> wrote: 
> > On Thu, Jan 23, 2014 at 2:19 PM, SunboX <[email protected]<javascript:>> 
> wrote: 
> >> Am Donnerstag, 23. Januar 2014 20:09:06 UTC+1 schrieb dan (ddpbsd): 
> >>> 
> >>> On Thu, Jan 23, 2014 at 2:05 PM, SunboX <[email protected]> wrote: 
> >>> > Want to decode this log message: 
> >>> > 
> >>> > {"app":"OCP\\Share","message":"Sharing backend 
> >>> > OCA\\Contacts\\Share\\Addressbook not registered, 
> >>> > OCA\\Contacts\\Share\\Addressbook is already registered for 
> >>> > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"} 
> >>> > 
> >>> > My ossec.conf file: 
> >>> > 
> >>> > <ossec_config> 
> >>> >   <localfile> 
> >>> >     <log_format>syslog</log_format> 
> >>> >     <location>/var/www/path-to-owncloud/data/owncloud.log</location> 
> >>> >   </localfile> 
> >>> > </ossec_config> 
> >>> > 
> >>> > And the local_decoder.xml file: 
> >>> > 
> >>> > <decoder name="owncloud"> 
> >>> >   <program_name></program_name> 
> >>> >   <prematch>^{"app":[^}]*}</prematch> 
> >>> 
> >>> I don't see everything after the ":" in your log sample. 
> >> 
> >> 
> >> Hm, what do you mean with "everything"? ;) 
> >> 
> >> The RegEx matches: 
> >> 
> >> exactly: {"app": 
> >> than anything what is not a "}": [^}]* 
> >> and than exactly a "}": } 
> >> 
> >> so it should match: 
> >> 
> >> 
> >> {"app":"OCP\\Share","message":"Sharing backend 
> >> OCA\\Contacts\\Share\\Addressbook not registered, 
> >> OCA\\Contacts\\Share\\Addressbook is already registered for 
> >> addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"} 
> >> 
> > 
> > Welcome to OSSEC: 
> http://ossec.net/doc/syntax/regex.html#or-regex-regex-syntax 
> > 
>
> I haven't verified it, bu t it looks like prematch isn't regex enabled 
> either: 
> http://ossec.net/doc/syntax/head_decoders.html#element-decoder.prematch 
>
> >>> 
> >>> > </decoder> 
> >>> > 
> >>> > Response from ossec-logtest: 
> >>> > 
> >>> > **Phase 1: Completed pre-decoding. 
> >>> >        full event: '{"app":"OCP\\Share","message":"Sharing backend 
> >>> > OCA\\Contacts\\Share\\Addressbook not registered, 
> >>> > OCA\\Contacts\\Share\\Addressbook is already registered for 
> >>> > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}' 
> >>> >        hostname: 'cloud' 
> >>> >        program_name: '(null)' 
> >>> >        log: '{"app":"OCP\\Share","message":"Sharing backend 
> >>> > OCA\\Contacts\\Share\\Addressbook not registered, 
> >>> > OCA\\Contacts\\Share\\Addressbook is already registered for 
> >>> > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}' 
> >>> > 
> >>> > **Phase 2: Completed decoding. 
> >>> >        No decoder matched. 
> >>> > 
> >>> > Could you please point me in the right direction? How do I get the 
> >>> > decoder 
> >>> > matching my log message? I tried many combinations of program_name 
> and 
> >>> > prematch nothing did work. 
> >>> > 
> >>> > greetings 
> >>> > Sunny 
> >>> > 
> >>> > -- 
> >>> > 
> >>> > --- 
> >>> > You received this message because you are subscribed to the Google 
> >>> > Groups 
> >>> > "ossec-list" group. 
> >>> > To unsubscribe from this group and stop receiving emails from it, 
> send 
> >>> > an 
> >>> > email to [email protected]. 
> >>> > For more options, visit https://groups.google.com/groups/opt_out. 
> >> 
> >> -- 
> >> 
> >> --- 
> >> You received this message because you are subscribed to the Google 
> Groups 
> >> "ossec-list" group. 
> >> To unsubscribe from this group and stop receiving emails from it, send 
> an 
> >> email to [email protected] <javascript:>. 
> >> For more options, visit https://groups.google.com/groups/opt_out. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to