Hi Luca.
You need to create a "child rule" that matches with 1003 for large
messages, and another rule for short messages. After that, you migh make a
rule that matches with the previous two. A good way to do it is using a
rule group. For example, if your decoder is called "oracle", you should
create the following rules:
<!----------------------------------------------------------------------------->
<group name="oracle_prerules">
<!-- This rule will match with short logs -->
<rule id="100005" level="0">
<decoded_as>oracle</decoded_as>
<description>Short message accepted</description>
</rule>
<rule id="100006" level="0">
<!-- This rule will match with large logs -->
<if_sid>1003</if_sid>
<decoded_as>oracle</decoded_as>
<description>Large message accepted</description>
</rule>
</group>
<group name="local">
<rule id="100007" level="3">
<if_group>oracle_prerules</if_group>
<description>Oracle sent log.</description>
</rule>
</group>
<!----------------------------------------------------------------------------->
In this way, every alert decoded by "oracle" will match the rule 100007, no
matter the message is long or short.
Kind regards.
Victor Fernandez.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
