Indeed it does!! Thanks for the help, really appreciate it!
On Tuesday, March 6, 2018 at 3:55:11 PM UTC-8, dan (ddpbsd) wrote:
>
> On Tue, Mar 6, 2018 at 6:52 PM, Rob Williams > wrote:
> > I am trying to create a child rule to 1002 (which I have silenced) to
> alert
> > in certain cases. I can get the rule to work if I remove the regex
> portion;
> > however, I don't want that as a permanent solution. My rule is below,
> and a
> > sample log entry is below as well. Am I doing something wrong when it
> comes
> > to matching based on regex?
> >
> >
> >
> > 1002
> >
> > + ERROR TcpOutputFd - Connection to host=\S+
> failed
> >
>
> Does it work if you change the above to instead of ?
>
> > Unsilence 1002 for failed TcpOutputFd
> > connections
> >
> >
> >
> >
> > Sample Log:
> >
> >
> > 03-06-2018 21:53:42.475 + ERROR TcpOutputFd - Connection to
> > host=127.0.0.1:9997 failed
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.