This is what I suspected, so what you're saying is I should wrap in () the entire regex and then I can pass it to the script. interesting, will tell you how it turns out. thanks בתאריך יום שני, 26 ביוני 2017 בשעה 11:51:53 UTC+3, מאת Jesus Linares: > > Hi, > > active response only accepts *user *and *srcip *as arguments. So, you > need to create a decoder to extract the log as user or srcip. I'm not sure > if this regex will work: "^(\.+)$". > > I hope it helps. > > On Sunday, June 25, 2017 at 7:06:31 PM UTC+2, dan (ddpbsd) wrote: >> >> >> >> On Jun 25, 2017 1:05 PM, "Guy Or" <[email protected]> wrote: >> >> Hello, >> >> I am writing decoders, rules and scripts that monitor my uwsgi >> application. >> >> Say that I write a decoder for a certain event that appears in the log, >> and that triggers a rule I wrote for it (using 'decoded_as'). >> >> How do I pass the entrie log line to my custom active response script, so >> that I can use the information in the logic of the script? >> >> FYI : I am using ossec and zabbix in conjunction, right now I detect and >> parse events with ossec real time log monitoring and send the information >> to zabbix trappers. Works wonderfully >> >> >> Decode the entire log message as <user>? >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> >> >>
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
