On Wed, Feb 4, 2015 at 6:33 AM, Nathaniel Bentzinger <[email protected]> wrote: > Checking on regexpal.com your \w+ is not needed as there is no match for it. >
I didn't know there was a site that helped with OSSEC's regex dialect. Very neat to hear though. > > > <prematch>^\w+ \d+ \d\d:\d\d:\d\d niban </prematch> > > > > Should work > Except it doesn't take into account the fact that all of this header information is stripped away. > > > From: [email protected] [mailto:[email protected]] On > Behalf Of Ki?n Th?c Phan > Sent: Tuesday, February 03, 2015 11:11 PM > To: [email protected] > Subject: [ossec-list] Decoder "niban" > > > > Hi all, > > I have a log: > > May 21 10:24:54 niban useradd[6070]: new group: name=test, gid=5006 > May 28 10:48:29 niban useradd[32421]: new group: name=logr, gid=12000 > > > And my decoder: > > <decoder name="niban"> > <prematch>^\w+ \d+ \d\d:\d\d:\d\d \w+ niban</prematch> > </decoder> > > > I use ossec-logtest debug, my result: No decoder match. What did I do wrong? > Thanks in advance > > ThucPK > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
