On Fri, Mar 13, 2020 at 2:28 PM Olivier Ragain <[email protected]> wrote: > > Hi, > I've created a custom decoder: > <decoder name="sshd-custom"> > <program_name>^sshd</program_name> > </decoder> > > <decoder name="sshd-bad-protocol-version"> > <parent>sshd-custom</parent> > <prematch>^Bad protocol version</prematch> > <regex offset="after_prematch">^\S+ from (\S+) port (\S+)$</regex> > <order>srcip,srcport</order> > </decoder> > > When I restart the engine to load it, I end up with the following error: > 2020/03/13 18:21:54 ossec-testrule: INFO: Reading decoder file > decoders/ssh_decoder.xml. > 2020/03/13 18:21:54 ossec-analysisd(2106): ERROR: Error adding decoder plugin. > 2020/03/13 18:21:54 ossec-testrule: INFO: Reading the lists file: > 'lists/approved_scanners_list' > 2020/03/13 18:21:54 ossec-analysisd: Invalid decoder name: 'pam'. > 2020/03/13 18:21:54 ossec-testrule(1220): ERROR: Error loading the rules: > 'pam_rules.xml'. > > Where is the error in my decoder? >
I don't receive an error when I add the decoders to local_decoders.xml. Which version of OSSEC are you using? > Thanks > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/9e0d792c-1b50-43fb-86e9-71d229dd17bd%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMo1_tMuHUB-1WGRuV6zw0SdGpVS%3D4BFdXxQaPJm6zHwVw%40mail.gmail.com.
