Indeed it does!! Thanks for the help, really appreciate it!
On Tuesday, March 6, 2018 at 3:55:11 PM UTC-8, dan (ddpbsd) wrote:
> On Tue, Mar 6, 2018 at 6:52 PM, Rob Williams <tsinfo...@gmail.com
> > I am trying to create a child rule to 1002 (which I have silenced) to
> > in certain cases. I can get the rule to work if I remove the regex
> > however, I don't want that as a permanent solution. My rule is below,
> and a
> > sample log entry is below as well. Am I doing something wrong when it
> > to matching based on regex?
> > <rule id="99999" level="10">
> > <if_sid>1002</if_sid>
> > <match>+0000 ERROR TcpOutputFd - Connection to host=\S+
> Does it work if you change the above to <regex> instead of <match>?
> > <description>Unsilence 1002 for failed TcpOutputFd
> > connections</description>
> > </rule>
> > Sample Log:
> > 03-06-2018 21:53:42.475 +0000 ERROR TcpOutputFd - Connection to
> > host=127.0.0.1:9997 failed
> > --
> > ---
> > You received this message because you are subscribed to the Google
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> > For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
For more options, visit https://groups.google.com/d/optout.