On Tue, Mar 6, 2018 at 8:05 AM, El mahdi El korri <[email protected]> wrote: > Hi everybody, > > > I used to build a decoder for parsing my log4j code as shown here: > > <decoder name="tomcat-LOG4J-FATAL"> > <prematch>^\d+-\d+-\d+ \d+:\d+:\d+ FATAL </prematch> > <regex>(\.+)</regex> > <order>extra_data</order> > </decoder> > > <decoder name="tomcat-LOG4J-ERROR"> > <prematch>^\d+-\d+-\d+ \d+:\d+:\d+ ERROR </prematch> > <regex offset="after_prematch">(\.+)</regex> > <order>extra_data</order> > </decoder> > > When i run ossec-logtest For this example log: 2018-03-01 12:18:22 FATAL > Log4jHelper:75 - ==> Logger "FATAL" level visible ........................., > it s that ossec parsed it with windows-date-format as shown here : > > **Phase 1: Completed pre-decoding. > full event: '2018-03-01 12:18:22 FATAL Log4jHelper:75 - ==> Logger > "FATAL" level visible .........................' > hostname: 'alienvault' > program_name: '(null)' > log: '2018-03-01 12:18:22 FATAL Log4jHelper:75 - ==> Logger "FATAL" > level visible .........................' > > **Phase 2: Completed decoding. > decoder: 'windows-date-format' > extra_data: '2018-03-01 12:18:22 FATAL Log4jHelper:75 - ==> Logger > "FATAL" level visible .........................' > > **Phase 3: Completed filtering (rules). > Rule id: '2900' > Level: '0' > Description: 'Dpkg (Debian Package) log.' > > How can we solve this ? >
Add the windows-date-format decoder as a parent to your decoder: <decoder name="tomcat-LOG4J-FATAL"> <parent>windows-date-format</parent> <prematch>^\d+-\d+-\d+ \d+:\d+:\d+ FATAL </prematch> <regex>(\.+)</regex> <order>extra_data</order> </decoder> > Best regards, > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
