On Feb 7, 2017 6:28 AM, "Dominik" <[email protected]> wrote:
I would like to write a decoder for a logfile with entries of the following
kind:
27.01.2017,09:06:17 [INFO] Engine-Version: 8.3.42.156
27.01.2017,09:06:17 [INFO] VDF-Version: 8.12.150.34
27.01.2017,09:06:17 [INFO] APC-Version: 2.7.1.3
27.01.2017,09:06:17 [INFO] RDF-Version: 14.0.5.76
27.01.2017,09:06:17 [INFO] Echtzeit-Scanner-Version: 15.00.24.143
27.01.2017,09:06:18 [INFO] [ACP] Load Avira Communication Protocol and
initialize message broker
27.01.2017,09:06:18 [INFO] [ACP] Publish the ACP activity resource
27.01.2017,09:06:18 [INFO] [ACP] Start of the ACP message broker is triggered
27.01.2017,09:06:18 [INFO] Verwendete Konfiguration der Echtzeit-Scanner:
- Geprüfte Dateien: Dateien von lokalen Laufwerken prüfen
- Geprüfte Dateien: Dateierweiterungsliste verwenden: .386 .?HT*
.ACM .ADE .ADP .ANI .APK .APP .ASD .ASF .ASP .ASX .AWX .AX .BAS .BAT
.BIN .BOO .CDF .CHM .CLASS .CMD .CNV .COM .CPL .CPX .CRT .CSH .DEX
.DLL .DLO .DO* .DRV .EMF .EML .EXE* .FAS .FLT .FOT .HLP .HT* .INF .INI
.INS .ISP .J2K .JAR .JFF .JFI .JFIF .JIF .JMH .JNG .JP2 .JPE .JPEG
.JPG .JS* .JSE .LNK .LSP .MD? .MDB .MOD .MS? .NWS .OBJ .OCX .OLB .OSD
.OV? .PCD .PDF .PDR .PGM .PHP .PIF .PKG .PL* .PNG .POT* .PPAM .PPS*
.PPT* .PRG .RAR .REG .RPL .RTF .SBF .SCR .SCRIPT .SCT .SH .SHA .SHB
.SHS .SHTM* .SIS .SLD? .SPL .SWF .SYS .TLB .TSP .TTF .URL .VB? .VCS
.VLM .VXD .VXO .WIZ .WLL .WMD .WMF .WMS .WMZ .WPC .WSC .WSF .WSH .WWK
.XAR .XL* .XML .XXX .ZIP
- Gerätemodus: Datei beim Öffnen durchsuchen, Datei nach
Schließen durchsuchen
- Aktion: Benutzer fragen
- Archive durchsuchen: Deaktiviert
- Makrovirenheuristik: Aktiviert
- Win32 Dateiheuristik: Erkennungsstufe mittel
- Protokollierungsstufe: Standard
27.01.2017,09:06:18 [INFO] Online-Dienste stehen zur Verfügung.
27.01.2017,09:17:04 [INFO] Update-Auftrag gestartet!
27.01.2017,09:17:15 [INFO]
---------------------------------------------------------
27.01.2017,09:17:15 [INFO] Engine-Version: 8.3.42.156
27.01.2017,09:17:15 [INFO] VDF-Version: 8.12.150.78
27.01.2017,09:17:15 [INFO] APC-Version: 2.7.1.3
27.01.2017,09:17:15 [INFO] RDF-Version: 14.0.5.76
27.01.2017,09:17:15 [INFO] Echtzeit-Scanner-Version: 15.00.24.143
27.01.2017,09:27:17 [WARNUNG] Der Zugriff auf die Datei
'H:\autorun.inf' wurde blockiert.
Currently, I do not care about the multi-line entries.
I managed to write the following decoders, which work fine:
<decoder name="aviraInfo">
<prematch>\d\d.\d\d.\d\d\d\d,\d\d:\d\d:\d\d [INFO]</prematch>
</decoder>
<decoder name="aviraWarnung">
<prematch>\d\d.\d\d.\d\d\d\d,\d\d:\d\d:\d\d [WARNUNG]</prematch>
</decoder>
I would like to add a parent that matches the date and the time and two
child-decoders that distinguish WARNUNG and INFO. However, I was
unsuccessful with the following attempt:
<decoder name="avira">
<prematch>\d\d.\d\d.\d\d\d\d,\d\d:\d\d:\d\d [</prematch>
</decoder>
<decoder name="aviraInfo">
<parent>avira</parent>
<prematch offset="after_parent">INFO</prematch>
</decoder>
<decoder name="aviraWarning">
<parent>avira</parent>
<prematch offset="after_parent">WARNING</prematch>
</decoder>
As a result, only the first decoder matches. How do I get this to run?
Tanks in advance!
Only the parent decoder is mentioned in ossec-logtest. The child decoders
might be matching, but it's tough to tell without pulling any fields out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected].
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
