On Tue, Mar 6, 2018 at 6:52 PM, Rob Williams <[email protected]> wrote: > I am trying to create a child rule to 1002 (which I have silenced) to alert > in certain cases. I can get the rule to work if I remove the regex portion; > however, I don't want that as a permanent solution. My rule is below, and a > sample log entry is below as well. Am I doing something wrong when it comes > to matching based on regex? > > <rule id="99999" level="10"> > > <if_sid>1002</if_sid> > > <match>+0000 ERROR TcpOutputFd - Connection to host=\S+ failed</match> >
Does it work if you change the above to <regex> instead of <match>? > <description>Unsilence 1002 for failed TcpOutputFd > connections</description> > > </rule> > > > Sample Log: > > > 03-06-2018 21:53:42.475 +0000 ERROR TcpOutputFd - Connection to > host=127.0.0.1:9997 failed > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
