Ok, got it working with this decoder:
<!-- ownCloud decoder.
- Example:
- {"app":"OCP\\Share","message":"Sharing backend
OCA\\Contacts\\Share\\Addressbook not registered,
OCA\\Contacts\\Share\\Addressbook is already registered for
addressbook","level":2,"time":"2014-01-23T$
-->
<decoder name="owncloud">
<prematch>^{"app":</prematch>
<regex>app":"(\S+)","message":"(\.+)","level":(\d+),"time":</regex>
<order>action, extra_data, status</order>
</decoder>
Am Donnerstag, 23. Januar 2014 20:30:45 UTC+1 schrieb dan (ddpbsd):
>
> On Thu, Jan 23, 2014 at 2:28 PM, SunboX <[email protected] <javascript:>>
> wrote:
> > Oh, ok. It's a subset of regular regular expressions. ;) Thanks!
> >
>
> Yep, very frustrating. That's on the long todo list as well.
>
> > Am Donnerstag, 23. Januar 2014 20:21:29 UTC+1 schrieb dan (ddpbsd):
> >>
> >> On Thu, Jan 23, 2014 at 2:20 PM, dan (ddp) <[email protected]> wrote:
> >> > On Thu, Jan 23, 2014 at 2:19 PM, SunboX <[email protected]> wrote:
> >> >> Am Donnerstag, 23. Januar 2014 20:09:06 UTC+1 schrieb dan (ddpbsd):
> >> >>>
> >> >>> On Thu, Jan 23, 2014 at 2:05 PM, SunboX <[email protected]>
> wrote:
> >> >>> > Want to decode this log message:
> >> >>> >
> >> >>> > {"app":"OCP\\Share","message":"Sharing backend
> >> >>> > OCA\\Contacts\\Share\\Addressbook not registered,
> >> >>> > OCA\\Contacts\\Share\\Addressbook is already registered for
> >> >>> > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}
> >> >>> >
> >> >>> > My ossec.conf file:
> >> >>> >
> >> >>> > <ossec_config>
> >> >>> > <localfile>
> >> >>> > <log_format>syslog</log_format>
> >> >>> >
> <location>/var/www/path-to-owncloud/data/owncloud.log</location>
> >> >>> > </localfile>
> >> >>> > </ossec_config>
> >> >>> >
> >> >>> > And the local_decoder.xml file:
> >> >>> >
> >> >>> > <decoder name="owncloud">
> >> >>> > <program_name></program_name>
> >> >>> > <prematch>^{"app":[^}]*}</prematch>
> >> >>>
> >> >>> I don't see everything after the ":" in your log sample.
> >> >>
> >> >>
> >> >> Hm, what do you mean with "everything"? ;)
> >> >>
> >> >> The RegEx matches:
> >> >>
> >> >> exactly: {"app":
> >> >> than anything what is not a "}": [^}]*
> >> >> and than exactly a "}": }
> >> >>
> >> >> so it should match:
> >> >>
> >> >>
> >> >> {"app":"OCP\\Share","message":"Sharing backend
> >> >> OCA\\Contacts\\Share\\Addressbook not registered,
> >> >> OCA\\Contacts\\Share\\Addressbook is already registered for
> >> >> addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}
> >> >>
> >> >
> >> > Welcome to OSSEC:
> >> > http://ossec.net/doc/syntax/regex.html#or-regex-regex-syntax
> >> >
> >>
> >> I haven't verified it, bu t it looks like prematch isn't regex enabled
> >> either:
> >> http://ossec.net/doc/syntax/head_decoders.html#element-decoder.prematch
> >>
> >> >>>
> >> >>> > </decoder>
> >> >>> >
> >> >>> > Response from ossec-logtest:
> >> >>> >
> >> >>> > **Phase 1: Completed pre-decoding.
> >> >>> > full event: '{"app":"OCP\\Share","message":"Sharing
> backend
> >> >>> > OCA\\Contacts\\Share\\Addressbook not registered,
> >> >>> > OCA\\Contacts\\Share\\Addressbook is already registered for
> >> >>> > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}'
> >> >>> > hostname: 'cloud'
> >> >>> > program_name: '(null)'
> >> >>> > log: '{"app":"OCP\\Share","message":"Sharing backend
> >> >>> > OCA\\Contacts\\Share\\Addressbook not registered,
> >> >>> > OCA\\Contacts\\Share\\Addressbook is already registered for
> >> >>> > addressbook","level":2,"time":"2014-01-23T17:59:34+00:00"}'
> >> >>> >
> >> >>> > **Phase 2: Completed decoding.
> >> >>> > No decoder matched.
> >> >>> >
> >> >>> > Could you please point me in the right direction? How do I get
> the
> >> >>> > decoder
> >> >>> > matching my log message? I tried many combinations of
> program_name
> >> >>> > and
> >> >>> > prematch nothing did work.
> >> >>> >
> >> >>> > greetings
> >> >>> > Sunny
> >> >>> >
> >> >>> > --
> >> >>> >
> >> >>> > ---
> >> >>> > You received this message because you are subscribed to the
> Google
> >> >>> > Groups
> >> >>> > "ossec-list" group.
> >> >>> > To unsubscribe from this group and stop receiving emails from it,
> >> >>> > send
> >> >>> > an
> >> >>> > email to [email protected].
> >> >>> > For more options, visit https://groups.google.com/groups/opt_out.
>
> >> >>
> >> >> --
> >> >>
> >> >> ---
> >> >> You received this message because you are subscribed to the Google
> >> >> Groups
> >> >> "ossec-list" group.
> >> >> To unsubscribe from this group and stop receiving emails from it,
> send
> >> >> an
> >> >> email to [email protected].
> >> >> For more options, visit https://groups.google.com/groups/opt_out.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/groups/opt_out.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
