On Thu, Jan 23, 2014 at 2:28 PM, SunboX <[email protected]> wrote: > Oh, ok. It's a subset of regular regular expressions. ;) Thanks! >
Yep, very frustrating. That's on the long todo list as well. > Am Donnerstag, 23. Januar 2014 20:21:29 UTC+1 schrieb dan (ddpbsd): >> >> On Thu, Jan 23, 2014 at 2:20 PM, dan (ddp) <[email protected]> wrote: >> > On Thu, Jan 23, 2014 at 2:19 PM, SunboX <[email protected]> wrote: >> >> Am Donnerstag, 23. Januar 2014 20:09:06 UTC+1 schrieb dan (ddpbsd): >> >>> >> >>> On Thu, Jan 23, 2014 at 2:05 PM, SunboX <[email protected]> wrote: >> >>> > Want to decode this log message: >> >>> > >> >>> > {"app":"OCP\\Share","message":"Sharing backend >> >>> > OCA\\Contacts\\Share\\Addressbook not registered, >> >>> > OCA\\Contacts\\Share\\Addressbook is already registered for >> >>> > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"} >> >>> > >> >>> > My ossec.conf file: >> >>> > >> >>> > <ossec_config> >> >>> > <localfile> >> >>> > <log_format>syslog</log_format> >> >>> > <location>/var/www/path-to-owncloud/data/owncloud.log</location> >> >>> > </localfile> >> >>> > </ossec_config> >> >>> > >> >>> > And the local_decoder.xml file: >> >>> > >> >>> > <decoder name="owncloud"> >> >>> > <program_name></program_name> >> >>> > <prematch>^{"app":[^}]*}</prematch> >> >>> >> >>> I don't see everything after the ":" in your log sample. >> >> >> >> >> >> Hm, what do you mean with "everything"? ;) >> >> >> >> The RegEx matches: >> >> >> >> exactly: {"app": >> >> than anything what is not a "}": [^}]* >> >> and than exactly a "}": } >> >> >> >> so it should match: >> >> >> >> >> >> {"app":"OCP\\Share","message":"Sharing backend >> >> OCA\\Contacts\\Share\\Addressbook not registered, >> >> OCA\\Contacts\\Share\\Addressbook is already registered for >> >> addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"} >> >> >> > >> > Welcome to OSSEC: >> > http://ossec.net/doc/syntax/regex.html#or-regex-regex-syntax >> > >> >> I haven't verified it, bu t it looks like prematch isn't regex enabled >> either: >> http://ossec.net/doc/syntax/head_decoders.html#element-decoder.prematch >> >> >>> >> >>> > </decoder> >> >>> > >> >>> > Response from ossec-logtest: >> >>> > >> >>> > **Phase 1: Completed pre-decoding. >> >>> > full event: '{"app":"OCP\\Share","message":"Sharing backend >> >>> > OCA\\Contacts\\Share\\Addressbook not registered, >> >>> > OCA\\Contacts\\Share\\Addressbook is already registered for >> >>> > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}' >> >>> > hostname: 'cloud' >> >>> > program_name: '(null)' >> >>> > log: '{"app":"OCP\\Share","message":"Sharing backend >> >>> > OCA\\Contacts\\Share\\Addressbook not registered, >> >>> > OCA\\Contacts\\Share\\Addressbook is already registered for >> >>> > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}' >> >>> > >> >>> > **Phase 2: Completed decoding. >> >>> > No decoder matched. >> >>> > >> >>> > Could you please point me in the right direction? How do I get the >> >>> > decoder >> >>> > matching my log message? I tried many combinations of program_name >> >>> > and >> >>> > prematch nothing did work. >> >>> > >> >>> > greetings >> >>> > Sunny >> >>> > >> >>> > -- >> >>> > >> >>> > --- >> >>> > You received this message because you are subscribed to the Google >> >>> > Groups >> >>> > "ossec-list" group. >> >>> > To unsubscribe from this group and stop receiving emails from it, >> >>> > send >> >>> > an >> >>> > email to [email protected]. >> >>> > For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an >> >> email to [email protected]. >> >> For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
