I am trying to create a child rule to 1002 (which I have silenced) to alert
in certain cases. I can get the rule to work if I remove the regex portion;
however, I don't want that as a permanent solution. My rule is below, and a
sample log entry is below as well. Am I doing something wrong when it comes
to matching based on regex?
<rule id="99999" level="10">
<if_sid>1002</if_sid>
<match>+0000 ERROR TcpOutputFd - Connection to host=\S+ failed</match>
<description>Unsilence 1002 for failed TcpOutputFd connections
</description>
</rule>
Sample Log:
03-06-2018 21:53:42.475 +0000 ERROR TcpOutputFd - Connection to
host=127.0.0.1:9997 failed
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
