On Tue, Aug 19, 2014 at 12:14 PM, Brian Kellogg <[email protected]> wrote: > So to match a new line I need to use \\n? >
No, there isn't really a way to match a new line that I know of. If you turn on the log all option in the manager's ossec.conf (and restart the ossec processes) you should see how analysisd receives the log message. That new line may not be there any longer. > How do I populate those builtin vars in the regex? Thanks > You have to put parentheses around the bits you want to populate the fields. string: ab-c-de regex: \S+-(\S+)-\s+ result: c > On Tuesday, August 19, 2014 11:57:08 AM UTC-4, dan (ddpbsd) wrote: >> >> On Tue, Aug 19, 2014 at 11:45 AM, Brian Kellogg <[email protected]> wrote: >> > I'm new to OSSEC so no doubt I'm missing alot. The below decoder is >> > causing >> > OSSEC to fail on start. I placed this decoder in the local_decoder.xml >> > file >> > in ./etc directory of the OSSEC installation. Not sure what I am >> > getting >> > wrong. >> > >> > <decoder name="RDP"> >> > <type>windows</type> >> > <prematch>^WinEvtLog</prematch> >> > <regex offset="after_prematch">^Remote Desktop Services: User >> > authentication succeeded:</regex> >> > <regex>\nUser: \S+\nDomain: \S+\nSource Network Address: \S+</regex> >> >> I suspect this isn't what you're trying to do, but to match the string >> "\n" you need to escape the backslash. Try "\\n" to match "\n." >> >> > <order>user, location, srcip</order> >> >> It doesn't look like you can use "location" here. I'm not sure how >> much these matter though, you aren't populating them in the regex. >> >> > </decoder> >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
