Oh, ok. It's a subset of regular regular expressions. ;) Thanks! Am Donnerstag, 23. Januar 2014 20:21:29 UTC+1 schrieb dan (ddpbsd): > > On Thu, Jan 23, 2014 at 2:20 PM, dan (ddp) <[email protected] <javascript:>> > wrote: > > On Thu, Jan 23, 2014 at 2:19 PM, SunboX <[email protected]<javascript:>> > wrote: > >> Am Donnerstag, 23. Januar 2014 20:09:06 UTC+1 schrieb dan (ddpbsd): > >>> > >>> On Thu, Jan 23, 2014 at 2:05 PM, SunboX <[email protected]> wrote: > >>> > Want to decode this log message: > >>> > > >>> > {"app":"OCP\\Share","message":"Sharing backend > >>> > OCA\\Contacts\\Share\\Addressbook not registered, > >>> > OCA\\Contacts\\Share\\Addressbook is already registered for > >>> > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"} > >>> > > >>> > My ossec.conf file: > >>> > > >>> > <ossec_config> > >>> > <localfile> > >>> > <log_format>syslog</log_format> > >>> > <location>/var/www/path-to-owncloud/data/owncloud.log</location> > >>> > </localfile> > >>> > </ossec_config> > >>> > > >>> > And the local_decoder.xml file: > >>> > > >>> > <decoder name="owncloud"> > >>> > <program_name></program_name> > >>> > <prematch>^{"app":[^}]*}</prematch> > >>> > >>> I don't see everything after the ":" in your log sample. > >> > >> > >> Hm, what do you mean with "everything"? ;) > >> > >> The RegEx matches: > >> > >> exactly: {"app": > >> than anything what is not a "}": [^}]* > >> and than exactly a "}": } > >> > >> so it should match: > >> > >> > >> {"app":"OCP\\Share","message":"Sharing backend > >> OCA\\Contacts\\Share\\Addressbook not registered, > >> OCA\\Contacts\\Share\\Addressbook is already registered for > >> addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"} > >> > > > > Welcome to OSSEC: > http://ossec.net/doc/syntax/regex.html#or-regex-regex-syntax > > > > I haven't verified it, bu t it looks like prematch isn't regex enabled > either: > http://ossec.net/doc/syntax/head_decoders.html#element-decoder.prematch > > >>> > >>> > </decoder> > >>> > > >>> > Response from ossec-logtest: > >>> > > >>> > **Phase 1: Completed pre-decoding. > >>> > full event: '{"app":"OCP\\Share","message":"Sharing backend > >>> > OCA\\Contacts\\Share\\Addressbook not registered, > >>> > OCA\\Contacts\\Share\\Addressbook is already registered for > >>> > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}' > >>> > hostname: 'cloud' > >>> > program_name: '(null)' > >>> > log: '{"app":"OCP\\Share","message":"Sharing backend > >>> > OCA\\Contacts\\Share\\Addressbook not registered, > >>> > OCA\\Contacts\\Share\\Addressbook is already registered for > >>> > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}' > >>> > > >>> > **Phase 2: Completed decoding. > >>> > No decoder matched. > >>> > > >>> > Could you please point me in the right direction? How do I get the > >>> > decoder > >>> > matching my log message? I tried many combinations of program_name > and > >>> > prematch nothing did work. > >>> > > >>> > greetings > >>> > Sunny > >>> > > >>> > -- > >>> > > >>> > --- > >>> > You received this message because you are subscribed to the Google > >>> > Groups > >>> > "ossec-list" group. > >>> > To unsubscribe from this group and stop receiving emails from it, > send > >>> > an > >>> > email to [email protected]. > >>> > For more options, visit https://groups.google.com/groups/opt_out. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected] <javascript:>. > >> For more options, visit https://groups.google.com/groups/opt_out. >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
