Re: [ossec-list] Re: custom decoder kernelmon syslog-ng

Wed, 25 Apr 2018 11:31:37 -0700 

On Wed, Apr 25, 2018 at 1:58 PM, Jacob Mcgrath
<[email protected]> wrote:
> Do agent-less syslog's  for ossec change on there delivery to the ossec
> server?  These are syslogs being sen t to ossec.
>

I don't think so, but maybe I don't understand the question.

Since I'm at a computer, this decoder:
<decoder name="ts54">
  <parent>iptables</parent>
  <prematch>^cmd=</prematch>
  <regex>^cmd=(\S+) </regex>
  <order>extra_data</order>
</decoder>


Gives me this output:
2018/04/25 14:30:24 ossec-testrule: INFO: Reading the lists file:
'rules/lists/ossec.block'
2018/04/25 14:30:24 ossec-testrule: INFO: Started (pid: 14261).
ossec-testrule: Type one log per line.



**Phase 1: Completed pre-decoding.
       full event: 'Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr
sdc READ 50030496 1'
       hostname: 'TS5400R33A'
       program_name: 'kernelmon'
       log: 'cmd=ioerr sdc READ 50030496 1'

**Phase 2: Completed decoding.
       decoder: 'iptables'
       extra_data: 'ioerr'


> On Wednesday, April 25, 2018 at 11:34:07 AM UTC-5, Jacob Mcgrath wrote:
>>
>> This is the log sent to ossec:
>>
>> Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr sdc READ 50030496 1
>>
>> If I run threw logtest i get iptables as the final decoder:
>>
>> **Phase 1: Completed pre-decoding.
>>        full event: 'Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr sdc
>> READ 50030496 1'
>>        hostname: 'TS5400R33A'
>>        program_name: 'kernelmon'
>>        log: 'cmd=ioerr sdc READ 50030496 1'
>>
>> **Phase 2: Completed decoding.
>>        decoder: 'iptables'
>>
>>
>> I tried to make other custom decoders using iptables as the parent and or
>> totally new decoders for this log but it always decodes the  same.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to