Hi! Try with this: \d+-\d+-\d+\w\d+:\d+:\d+\+\d+:\d+ CRIT Not valid template file\:
Best regards woodspeed 2012. február 6. 16:26 Daniel Cid írta, <daniel....@gmail.com>: > Hey, > > What are you trying to decode there? And how will you use this information? > > If you will not use the decoded information anywhere, just write a > rule to ignore > or do what you need with this event... > > Thanks, > > -- > Daniel B. Cid > > > On Mon, Feb 6, 2012 at 10:55 AM, kumaig <goj...@gmail.com> wrote: > > Yes i have. Only solution that i find that worked for me is to change > > log format like this.. > > 2011-12-28 08:30:59+00:00 CRIT Not valid template file:frontend/base/ > > default/template/exacttarget/top_sub.phtml > > and with this decoder everything works well... > > <decoder name="magentoCRIT"> > > <prematch>^\d+-\d+-\d+\s\d+:\d+:\d+\p\d+:\d+\sCRIT</prematch> > > </decoder> > > <decoder name="magentoCRIT-alert"> > > <parent>magentoCRIT</parent> > > <regex offset="after_parent">(\.+)</regex> > > <order>extra_data</order> > > </decoder> > > But with this log format no luck. > > 2011-12-28T08:30:59+00:00 CRIT Not valid template file:frontend/base/ > > default/template/exacttarget/top_sub.phtml > > no luck... > > > > Thanks dan for quick response. > > > > On Feb 6, 12:39 pm, "dan (ddp)" <ddp...@gmail.com> wrote: > >> On Thu, Feb 2, 2012 at 11:11 AM, kumaig <goj...@gmail.com> wrote: > >> > it does not work with T either :( > >> > >> Have you tried feeding it through ossec-logtest? The date may be > >> getting decoded out. > >> > >> > >> > >> > >> > >> > >> > >> > On 2 феб, 14:07, "dan (ddp)" <ddp...@gmail.com> wrote: > >> >> On Wed, Feb 1, 2012 at 7:59 AM, kumaig <goj...@gmail.com> wrote: > >> >> > I have tried for a few weeks to decode one magento log with no > luck. I > >> >> > have searched more then 2 weeks for solution for this problem. If > >> >> > anyone can help i appreciate it. > >> >> > the log is : > >> >> > 2011-12-28T08:30:59+00:00 CRIT Not valid template > file:frontend/base/ > >> >> > default/template/exacttarget/top_sub.phtml > >> > >> >> > i have made several decoders but none worked for this log. > >> > >> >> > <decoder name="magentoCRIT"> > >> >> > #<prematch>^\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d\p\d\d:\d\d\.*</ > >> >> > prematch> > >> >> > #<prematch>^\d+-\d+-\d+\w\d+:\d+:\d+\p\d+:\d+ CRIT</prematch> > >> >> > #<prematch>CRIT</prematch> > >> >> > <prematch>\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\. CRIT</ > >> >> > prematch> > >> >> > </decoder> > >> > >> >> > My gues is that date format is making some sort of error.. because > if > >> >> > i try format like this > >> > >> >> > 2011-12-28 08:30:59+00:00 CRIT Not valid template > file:frontend/base/ > >> >> > default/template/exacttarget/top_sub.phtml > >> > >> >> > it finds modified decoder without \w. > >> > >> >> > Thank you all! > >> > >> >> Why use the \w? Isn't it always a "T"? > -- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.14 (MingW32) mQENBEygoBUBCADF8DeHD7XXFFyVvJoMOx1Sh01dUprmrfWwiANwN4SXQCaMEXc2 +4y/qg92iGOQR/5Z5DQXNB+2y5SyIo95ZbM/4+RwMgt4Km3QD7w7sIXY3gQNPrT6 5+h5lH6lLmV0K68oIlOBU1wLLVky+gHAQLi3KMKWm10KF0drJv6Ngl+UBOHz/ntm y1oLs/iQlbFfqPj/2QnTO4Lqv6EpEqexjzbsO4ieD6BHhN+TCQYmrN7W+l3vxjFQ stdwJNEph7gNnXsVGTgDdwz6WpC8SNgOMe2FdIB2dRwQGbtdyF/iC+vMyc/woSnj vDpE5Bf9C16eErwRE3UMTRpy+Qf5rN2ssen5ABEBAAG0I1Zpa3RvciBHYXpkYWcg PHdvb2RzcGVlZEBnbWFpbC5jb20+iQE4BBMBAgAiBQJMoKAVAhsDBgsJCAcDAgYV CAIJCgsEFgIDAQIeAQIXgAAKCRB9JI3LTCQGuWUyCAC19sQUaJkKlEc/Jjjum3TG zSUydz6okbpf2cEGrofFcSqQgALE88uxDAElAuPcS8TKLIMojIKWsIL1Adkw1zNu E4hGfz/5CMwAVMjigcLf/KrkA2eu1M8sVJcIWh7JXJKYEQ5LAtz1yNWugWXob1zD RPXAOyumMxrQb/LN/2/zaHMpDCxSBtVwsITgfwmSrnNTZF2VsKAGlYStnRwmwZGS EmpqjqxCw4VZzGsA2EP/HRnxDPa59G6/9tRyoGTHwdrPB+ejURnHq/6kRY7lg64z JORZd8iE1F/IlApUPqaM2egiS95+NnxNGC+Z5ojFGxhMBpN+ekCxQGR0uE+otF38 uQENBEygoBUBCAC5ksGqRX5RyNY6x6WV0S0DglWRB4VGGhtXH6CJH1zLG3D94gaw exorlfo5EhyzqmxOS/iOwAhIi8S/aoPos+J4aeX4/wxNGLnBLwP6Z+1vhBG2cKCG s7rbbeCreMYCAFhfj7cY+oDZ7bAPz2WcAL/GciKnkxOdF/v3HN6m8Xpnpz/D+tty LmUOlJv/2BUsUIHTy7pTBzCpb+T5OgvqVgTfwSeayQFg5QHbvplvv+rOKYC2IZCC XUaV1lyrJKgpLEt5wxeJf3I8rbso89uSgPEQ533UxRnD6TqFtwf+U9QUSKP2nDdL Jyvk3kyp57qxPswl/uX/5LYNya9ggYBbTFcRABEBAAGJAR8EGAECAAkFAkygoBUC GwwACgkQfSSNy0wkBrnLawf/dU8/74LR8RZAn6cwlmQJ53q2lqU0j84/cq12iLB6 N0yr8HkBwdXdR7V4WxUMW/3uWAgRw2dDCTVmXuZgyGiwZDz3OiTce2oBiiRLID17 2AU6NpVw7CVAplTvvU9UfMhkH3e4+1MOOryP1PrVcGjiplwBLrKS16c+BHm7wsi6 1sWnizxwpIeHqPSSlHz/e/VfgttRX+rjc4+wOaby9/QSV8vnEBriJ5u5x1MQWGdU w01EmJcXHKvFKWXyQQnDFf4LT3+IemEbQRmXMB5B13SAnQLkxt/7I2MwtpLHGvjh CG91BKKfbLpmXkt1Jbbdcbkd5b2MH6zDrWBpBxqYkcuLfw== =yMG/ -----END PGP PUBLIC KEY BLOCK-----