Re: [ossec-list] Decoder help

Sun, 04 Aug 2013 14:18:48 -0700 

Sadly, the same result.

2013/08/04 18:30:16 ossec-testrule: INFO: Reading local decoder file.
2013/08/04 18:30:16 ossec-testrule: INFO: Started (pid: 19878).
ossec-testrule: Type one log per line.

        [2013-08-03 23:45:24,461] javax.mail.AuthenticationFailedException


**Phase 1: Completed pre-decoding.
       full event: '    [2013-08-03 23:45:24,461]
javax.mail.AuthenticationFailedException'
       hostname: 'alienvault4sim'
       program_name: '(null)'
       log: '   [2013-08-03 23:45:24,461]
javax.mail.AuthenticationFailedException'

**Phase 2: Completed decoding.
       No decoder matched.

**Phase 3: Completed filtering (rules).
       Rule id: '1002'
       Level: '2'
       Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.



On Sun, Aug 4, 2013 at 2:27 PM, Michael Starks <[email protected]
> wrote:

> On 08/04/2013 12:19 PM, Jared wrote:
>
>> Would someone be so kind as to tell me what I am missing here?
>>
>> Raw log line:
>>
>>      [2013-08-03 23:45:24,461] javax.mail.**AuthenticationFailedException
>>
>> tab-bracket-yyyy-dash-mm-dd-**space-hh-colon-mm-colon-ss-**
>> comma(punctuation)-nnn-bracket
>> someRandomText
>>
>> Decoder:
>>
>> <decoder name="MailFailRLB">
>> <prematch>^\t[\d\d\d\d-\d\d-\**d\d \d\d:\d\d:\d\d,\d\d\d] \w+
>> javax.mail.**AuthenticationFailedException<**/prematch>
>> </decoder>
>>
>> Is missing something.
>>
>
> Try this:
>
> <decoder name="MailFailRLB">
> <prematch>^[\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d\d\d] javax.mail.**
> AuthenticationFailedException<**/prematch>
> </decoder>
>
> There were two problems:
> 1. No tab at the beginning of the log line
> 2. no \w+ prior to javax.mail.**AuthenticationFailedException
>
>
> --
>
> --- You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to 
> ossec-list+unsubscribe@**googlegroups.com<ossec-list%[email protected]>
> .
> For more options, visit 
> https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out>
> .
>
>
>


-- 
Thank you,

Jared R. Greene

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to