A totally untested response from a mobile device is below. On Apr 4, 2015 5:43 PM, <[email protected]> wrote: > > Hello > > I am testing and working on this beautiful tool, but i have a little decoding problem. Here it is : > > My decoder is: > <decoder name="fakeinc_custom"> > <prematch>^\.+Fakeinc: </prematch>
This expects one or more characters before "F." > <regex offset="after_prematch">^service for: (\w+)@(\S+) \w+</regex> > <order>srcuser,srcip</order> > </decoder> > > and my custom log is : > Mar 26 10:56:36 small-VirtualBox small: Fakeinc: service for: [email protected] Failed > > why there is no decoding performed by Ossec? i was testing with ossec-logtest, and here is the test output : > ------------------------------------------------------------ > **Phase 1: Completed pre-decoding. > full event: 'Mar 26 10:56:36 small-VirtualBox small: Fakeinc: service for: [email protected] Failed' > hostname: 'small-VirtualBox' > program_name: 'small' > log: 'Fakeinc: service for: [email protected] Failed' As we see from the log, there are no chsracters before the "F." > > **Phase 2: Completed decoding. > No decoder matched. > ------------------------------------------------------------ > > i have also noticed that if i change my custom log by altering the time format like : > Mar 26 10:56:3 small-VirtualBox small: Fakeinc: service for: [email protected] Failed (i just deleted '6' from '36' seconds) > > ==> it matches and it is decoding almost as expected. And here is the output: > ------------------------------------------------------------ > **Phase 1: Completed pre-decoding. > full event: 'Mar 26 10:56:3 small-VirtualBox small: Fakeinc: service for: [email protected] Failed' > hostname: 'small-VirtualBox' > program_name: '(null)' > log: 'Mar 26 10:56:3 small-VirtualBox small: Fakeinc: service for: [email protected] Failed' > > **Phase 2: Completed decoding. > decoder: 'fakeinc_custom' > srcuser: 'toto' > srcip: '10.0.0.2' > ------------------------------------------------------------ > why is that ? is that a bug or did i miss something about decoding or pre-decoding ? i hope it is not a bug :) > > > Thanks > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
