On Fri, Feb 21, 2014 at 5:44 PM, Julien T <[email protected]> wrote: > >> Looks like they all default to "id." > > => what do you mean ? all extra_data fields are inside id field? still no > matching for me :( >
When you use the wrong <order> names, they all came out as "id." vendorid was decoded as just id. >> >> No idea what is wrong, there should always be a Phase 2, even if it's >> just reporting that no decoder matched. > > > # strings /opt/local/var/ossec/bin/ossec-logtest |grep -i "phase" > > **Phase 3: Completed filtering (rules). > **Phase 1: Completed pre-decoding. > It's entirely possible there is something wrong with your installation. I'd recommend a redownload/recompile: # strings /var/ossec/bin/ossec-logtest | grep -i phase **Phase 3: Completed filtering (rules). **Phase 1: Completed pre-decoding. **Phase 2: Completed decoding. > >> >> I didn't try the rule, but I don't have to. Rule 5100 matches >> program_name kernel. >> Chances are if the program_name is kernel, the event gets decoded as >> "iptables." > > > yeah, this part is working. no matching the usb-insert decoder. > > >> >> >> 'thread 0x[0-9a-f]+' does not appear in the log message, it shouldn't >> surprise anyone that this does not match. >> > > That's just different try to regexp a hexa code "(thread 0x1166e0000):", but > no luck > 0[xX][0-9a-fA-F]+ > 0x[0-9a-f]+ > 0x[0-9a-f].+ > /w+ > .+ > > parenthesis are probably also part of the problem. > I have no idea what this is supposed to mean. Those strings do not appear in the log message. They also are not valid OSSEC regex, so I'm very confused. >> > > No problem. Thanks. > > Julien > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
