On 5/4/2011 10:26 PM, Michael Starks wrote:
On 05/04/2011 08:32 PM, Martin Gottlieb wrote:
When I ran the command: sed -n 16741p
logs/alerts/2011/May/ossec-alerts-04.log | bin/ossec-logtest
from within /var/ossec, the decoder did not extract the user and srcip
fields. I then ran:
sed -n 16741p logs/alerts/2011/May/ossec-alerts-04.log | od -a and found
that each Name: Value pair was
preceded by a variable number of spaces and then a *TAB *character.
It turns out that *\s* only matches spaces, not any white-space
character. So I changed my regex to this:
<regex offset="after_prematch">User\s+Name:\s*(\w+)\s+\.*Source Network
Address:\s+(\d+.\d+.\d+.\d+)\s+</regex>
and it now works.
Thanks for sharing your solution and for introducing me to od. That
looks pretty useful. I guess the lesson here is to feed the log sample
directly from archives.log into ossec-logtest to avoid any translation
issues. That's something that I certainly haven't been doing.
So is the number of spaces variable depending on the Windows version,
or in general? I am surprised we haven't seen this before..
i was referring specifically to the Windows log when mentioning the # of
spaces. I think you'd have to take any
given log record on a case-by-case basis.
