subject:"Re\: \[ossec\-list\] Child rule w\/ regex not working \- can't figure out why"

Re: [ossec-list] Child rule w/ regex not working - can't figure out why

2018-03-06 Thread Rob Williams

Indeed it does!! Thanks for the help, really appreciate it!

On Tuesday, March 6, 2018 at 3:55:11 PM UTC-8, dan (ddpbsd) wrote:
>
> On Tue, Mar 6, 2018 at 6:52 PM, Rob Williams  > wrote: 
> > I am trying to create a child rule to 1002 (which I have silenced) to 
> alert 
> > in certain cases. I can get the rule to work if I remove the regex 
> portion; 
> > however, I don't want that as a permanent solution. My rule is below, 
> and a 
> > sample log entry is below as well. Am I doing something wrong when it 
> comes 
> > to matching based on regex? 
> > 
> >  
> > 
> > 1002 
> > 
> > + ERROR TcpOutputFd - Connection to host=\S+ 
> failed 
> > 
>
> Does it work if you change the above to  instead of ? 
>
> > Unsilence 1002 for failed TcpOutputFd 
> > connections 
> > 
> >
> > 
> > 
> > Sample Log: 
> > 
> > 
> > 03-06-2018 21:53:42.475 + ERROR TcpOutputFd - Connection to 
> > host=127.0.0.1:9997 failed 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Child rule w/ regex not working - can't figure out why

2018-03-06 Thread dan (ddp)

On Tue, Mar 6, 2018 at 6:52 PM, Rob Williams  wrote:
> I am trying to create a child rule to 1002 (which I have silenced) to alert
> in certain cases. I can get the rule to work if I remove the regex portion;
> however, I don't want that as a permanent solution. My rule is below, and a
> sample log entry is below as well. Am I doing something wrong when it comes
> to matching based on regex?
>
> 
>
> 1002
>
> + ERROR TcpOutputFd - Connection to host=\S+ failed
>

Does it work if you change the above to  instead of ?

> Unsilence 1002 for failed TcpOutputFd
> connections
>
>   
>
>
> Sample Log:
>
>
> 03-06-2018 21:53:42.475 + ERROR TcpOutputFd - Connection to
> host=127.0.0.1:9997 failed
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Child rule w/ regex not working - can't figure out why

Re: [ossec-list] Child rule w/ regex not working - can't figure out why

2 matches

Site Navigation

Mail list logo

Footer information