now, i wrote like this
<decoder name="rsyslog-pstats-main"> <parent>rsyslog-pstats</parent> <prematch>^main\sQ</prematch> </decoder> <decoder name="rsyslog-pstats-discarded-full"> <parent>rsyslog-pstats-main</parent> <regex offset="after_parent">^\.*discarded\pfull=(\d+)\.*</regex> <order>extra_data</order> </decoder> <decoder name="rsyslog-pstats-discarded-nf"> <parent>rsyslog-pstats-main</parent> <regex offset="after_parent">^\.*discarded\pnf=(\d+)\.*</regex> <order>extra_data</order> </decoder> but server say 2013/03/05 12:27:03 ossec-analysisd(2101): ERROR: Parent decoder name invalid: 'rsyslog-pstats-main'. 2013/03/05 12:27:03 ossec-analysisd(2106): ERROR: Error adding decoder plugin. 2013/03/05 12:27:03 ossec-testrule(1202): ERROR: Configuration error at '/etc/decoder.xml'. Exiting. 2013/03/05 12:28:13 ossec-syscheckd: INFO: Starting syscheck scan. thanks&Best Regards From: root Date: 2013-03-04 12:43 To: ossec-list Subject: multiple OSSEC decoders on the same event has some problem hi,all now,i want match this event 2013-03-04T12:39:54.901160+08:00 localhost rsyslogd-pstats: imudp(*:514): submitted=0 2013-03-04T12:39:54.901163+08:00 localhost rsyslogd-pstats: imudp(*:514): submitted=0 2013-03-04T12:39:54.901167+08:00 localhost rsyslogd-pstats: main Q: size=11 enqueued=13130 full=0 discarded.full=0 discarded.nf=0 maxqsize=1441 2013-03-04T12:40:04.906896+08:00 localhost rsyslogd-pstats: imuxsock: submitted=1568 ratelimit.discarded=0 ratelimit.numratelimiters=0 2013-03-04T12:40:04.906918+08:00 localhost rsyslogd-pstats: action 1: processed=10116 failed=0 2013-03-04T12:40:04.906921+08:00 localhost rsyslogd-pstats: action 2: processed=2393 failed=0 2013-03-04T12:40:04.906923+08:00 localhost rsyslogd-pstats: action 3: processed=35 failed=0 2013-03-04T12:40:04.906925+08:00 localhost rsyslogd-pstats: action 4: processed=2 failed=0 2013-03-04T12:40:04.906926+08:00 localhost rsyslogd-pstats: action 5: processed=32 failed=0 2013-03-04T12:40:04.906928+08:00 localhost rsyslogd-pstats: action 6: processed=0 failed=0 2013-03-04T12:40:04.906930+08:00 localhost rsyslogd-pstats: action 7: processed=0 failed=0 2013-03-04T12:40:04.906931+08:00 localhost rsyslogd-pstats: action 8: processed=0 failed=0 i want match the all of the "failed" or "discarded" value my decoder like this <decoder name="rsyslog-pstats"> <program_name>^rsyslogd-pstats</program_name> </decoder> <!-- failed --> <decoder name="rsyslog-pstats-failed"> <parent>rsyslog-pstats</parent> <prematch>^action\s\d+</prematch> <regex offset="after_prematch">^\.*failed=(\d+)</regex> <order>extra_data</order> </decoder> <!-- main Q --> <decoder name="rsyslog-pstats-discarded"> <parent>rsyslog-pstats</parent> <prematch>^main\sQ</prematch> </decoder> <decoder name="rsyslog-pstats-discarded-full"> <parent>rsyslog-pstats-discarded</parent> <regex offset="after_prematch">^\.*discarded\pfull=(\d+)\.*</regex> <order>extra_data</order> </decoder> <decoder name="rsyslog-pstats-discarded-nf"> <parent>rsyslog-pstats-discarded</parent> <regex offset="after_prematch">^\.*discarded\pnf=(\d+)\.*</regex> <order>extra_data</order> </decoder> <!-- the end of rsyslog --> but,ossec say 2013/03/04 12:35:47 ossec-analysisd(2107): ERROR: Decoder configuration error: 'rsyslog-pstats-discarded-full'. 2013/03/04 12:35:47 ossec-testrule(1202): ERROR: Configuration error at '/etc/decoder.xml'. Exiting. i think this part has problem,but i do not kown why and how? <decoder name="rsyslog-pstats-discarded-full"> <parent>rsyslog-pstats-discarded</parent> <regex offset="after_prematch">^\.*discarded\pfull=(\d+)\.*</regex> <order>extra_data</order> </decoder> <decoder name="rsyslog-pstats-discarded-nf"> <parent>rsyslog-pstats-discarded</parent> <regex offset="after_prematch">^\.*discarded\pnf=(\d+)\.*</regex> <order>extra_data</order> </decoder> thanks&Best Regards -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
