[ossec-list] Trouble with forward slashes in decoder

Tue, 17 Nov 2015 02:02:27 -0800 

I'm having trouble with a forward slash present in my log that appears to 
be tripping up my OSSEC decoder. 

The following output shows the problem:


   1. [root@ixxx etc]# grep prematch local_decoder.xml
   2. <prematch>^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\p\d\d:\d\d 
   slot\S*</prematch>
   3. [root@ixxxx etc]# /var/ossec/bin/ossec-logtest
   4. 2015/11/17 07:53:28 ossec-testrule: INFO: Reading local decoder file.
   5. 2015/11/17 07:53:28 ossec-testrule: INFO: Started (pid: 3702).
   6. ossec-testrule: Type one log per line.
   7.  
   8. 2015-11-16T15:21:04+00:00 slot1
   9.  
   10.  
   11. **Phase 1: Completed pre-decoding.
   12.        full event: '2015-11-16T15:21:04+00:00 slot1'
   13.        hostname: 'xxxx'
   14.        program_name: '(null)'
   15.        log: '2015-11-16T15:21:04+00:00 slot1'
   16.  
   17. **Phase 2: Completed decoding.
   18.        decoder: 'F5'
   19. 2015-11-16T15:21:04+00:00 slot1/
   20.  
   21.  
   22. **Phase 1: Completed pre-decoding.
   23.        full event: '2015-11-16T15:21:04+00:00 slot1/'
   24.        hostname: 'xxxxx'
   25.        program_name: '(null)'
   26.        log: '2015-11-16T15:21:04+00:00 slot1/'
   27.  
   28. **Phase 2: Completed decoding.
   29.        decoder: 'F5'
   30. 2015-11-16T15:21:04+00:00 slot1/fewfwefwe
   31.  
   32.  
   33. **Phase 1: Completed pre-decoding.
   34.        full event: '2015-11-16T15:21:04+00:00 slot1/fewfwefwe'
   35.        hostname: 'xxxxxx'
   36.        program_name: '(null)'
   37.        log: 'slot1/fewfwefwe'
   38.  
   39. **Phase 2: Completed decoding.
   40.        No decoder matched.
   41.  
   42. 2015-11-16T15:21:04+00:00 slot1/fewfewfwefwef ererer
   43.  
   44.  
   45. **Phase 1: Completed pre-decoding.
   46.        full event: '2015-11-16T15:21:04+00:00 slot1/fewfewfwefwef 
   ererer'
   47.        hostname: 'slot1/fewfewfwefwef'
   48.        program_name: '(null)'
   49.        log: 'ererer'
   50.  
   51. **Phase 2: Completed decoding.
   52.        No decoder matched.
   

The output above is also here:
http://pastebin.com/jVjmFFb3

I've tried setting slot1/$HOSTNAME as part of the decoder (for testing).

I've also tried writing a regex specifically for the host name format 
(slot\d/\w+\d\w\d\w+) and it still didn't work.

No matter what I can't seem to get the log which starts with 
"2015-11-17T05:22:05+00:00 
slot1/$HOSTNAME err httpd[16716]"

Any ideas what I'm doing wrong?

Regards,
-Francisco

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to