Re: [ossec-list] Child rule w/ regex not working - can't figure out why
Indeed it does!! Thanks for the help, really appreciate it! On Tuesday, March 6, 2018 at 3:55:11 PM UTC-8, dan (ddpbsd) wrote: > > On Tue, Mar 6, 2018 at 6:52 PM, Rob Williams > wrote: > > I am trying to create a child rule to 1002 (which I have silenced) to > alert > > in certain cases. I can get the rule to work if I remove the regex > portion; > > however, I don't want that as a permanent solution. My rule is below, > and a > > sample log entry is below as well. Am I doing something wrong when it > comes > > to matching based on regex? > > > > > > > > 1002 > > > > + ERROR TcpOutputFd - Connection to host=\S+ > failed > > > > Does it work if you change the above to instead of ? > > > Unsilence 1002 for failed TcpOutputFd > > connections > > > > > > > > > > Sample Log: > > > > > > 03-06-2018 21:53:42.475 + ERROR TcpOutputFd - Connection to > > host=127.0.0.1:9997 failed > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Child rule w/ regex not working - can't figure out why
On Tue, Mar 6, 2018 at 6:52 PM, Rob Williams wrote: > I am trying to create a child rule to 1002 (which I have silenced) to alert > in certain cases. I can get the rule to work if I remove the regex portion; > however, I don't want that as a permanent solution. My rule is below, and a > sample log entry is below as well. Am I doing something wrong when it comes > to matching based on regex? > > > > 1002 > > + ERROR TcpOutputFd - Connection to host=\S+ failed > Does it work if you change the above to instead of ? > Unsilence 1002 for failed TcpOutputFd > connections > > > > > Sample Log: > > > 03-06-2018 21:53:42.475 + ERROR TcpOutputFd - Connection to > host=127.0.0.1:9997 failed > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Child rule w/ regex not working - can't figure out why
I am trying to create a child rule to 1002 (which I have silenced) to alert in certain cases. I can get the rule to work if I remove the regex portion; however, I don't want that as a permanent solution. My rule is below, and a sample log entry is below as well. Am I doing something wrong when it comes to matching based on regex? 1002 + ERROR TcpOutputFd - Connection to host=\S+ failed Unsilence 1002 for failed TcpOutputFd connections Sample Log: 03-06-2018 21:53:42.475 + ERROR TcpOutputFd - Connection to host=127.0.0.1:9997 failed -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.