I cannot seem to see where I am going wrong. When I test my regex with:
/var/ossec/bin/ossec-regex 'DUQUESNE\sFTP\.+Error\p'
against the syslog event of:
Oct 5 10:21:47 DUQUESNE FTP: 220 website.com X2 FTP Server
7.6.3(70179994) FIPS <SessionID=28760006, Listener=10.2.3.5:21,
Client=10.2.3.41:42016><Command=start, Error=220>
I am given results. However, when I have the rule of:
<rule id="100032" level="0">
<if_sid>1002</if_sid>
<regex>DUQUESNE\sFTP\.+Error\p</regex>
</rule>
and then run it against logtest, it does not work. Log test sees it hit
Rule 1002 and then tries the child rules and completes as rule 1002.
Any help as to what I am doing wrong would be appricieated.
Thanks!
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
