On Fri, Aug 9, 2013 at 1:52 PM, David Blanton <[email protected]> wrote: > Okay I'm starting to understand a bit more. > >>So, let's create a decoder: >><decoder name="bnc3"> >> <program_name>^logger</program_name> >> <prematch>^::\S+:\S+:\S+: </prematch> >></decoder> > >>This one is pretty simple. Just looks for the program name logger, and >>a simple prematch. > > So just to clarify, what exactly is the <prematch> looking for in your > example? My understanding of \S+ is a string of characters > and symbols. I don't understand how "::\S+:\S+:\S+:" translates into the > whole log line, unless you are only matching for > "::test-bnc3-web1:21197:-1222399088:" >
I do not want to match the entire log line, only enough to recognize that this log message belongs to this decoder. The rules will handle matching the entire log message to something actionable. > Given the above is true, I have another question. If I used <regex > offset="after_prematch">, would I know be parsing for what comes after my > initial prematch? Yes, your regex would only be concerned with the stuff that comes "after the prematch." > So my after_prematch would be looking for " BNCServer not found on > test-bnc3-reston:9305 - couldn't open socket: connection refused'? Or would > that be after_regex? > What data are you trying to shove into variables? That's what your regex will be concerned with. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
