On Wed, Apr 25, 2018, 12:37 PM Jacob Mcgrath <[email protected]> wrote:
> tried these with no result: > > <decoder name="Buffalo-101"> > <program_name>kernelmon</program_name> > <prematch>^TS5400R33A</prematch> > </decoder> > > <decoder name="Buffalo-102"> > <parent>iptables</parent> > <prematch>^TS5400R33A</prematch> > </decoder> > > The parent decoder will always be displayed. For your decoders to really do anything, they will need to pull out some data into fields (regex and order). > > On Wednesday, April 25, 2018 at 11:34:07 AM UTC-5, Jacob Mcgrath wrote: >> >> This is the log sent to ossec: >> >> Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr sdc READ 50030496 1 >> >> If I run threw logtest i get iptables as the final decoder: >> >> **Phase 1: Completed pre-decoding. >> full event: 'Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr sdc >> READ 50030496 1' >> hostname: 'TS5400R33A' >> program_name: 'kernelmon' >> log: 'cmd=ioerr sdc READ 50030496 1' >> >> **Phase 2: Completed decoding. >> decoder: 'iptables' >> >> >> I tried to make other custom decoders using iptables as the parent and or >> totally new decoders for this log but it always decodes the same. >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
