I have several log instances where the predecoding kinda gets in the way.
Example:
Oct 14 13:17:56 ip-10-230-1-60 HubSpotService[1408]:
HubSpotService@ip-10-10-10-10,ErrorCode=2300,ErrorMessage=Network problem,
connection unexpectedly closed by peer
**Phase 1: Completed pre-decoding.
full event: 'Oct 14 13:17:56 ip-10-10-10-10 HubSpotService[1408]:
HubSpotService@ip-20-20-20-20,ErrorCode=2300,ErrorMessage=Network problem,
connection unexpectedly closed by peer'
hostname: 'ip-10-10-10-10'
program_name: 'HubSpotService'
log:
'HubSpotService@ip-20-20-20-20,ErrorCode=2300,ErrorMessage=Network problem,
connection unexpectedly closed by peer'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
I would like the event to be:
Oct 14 13:17:56 = Date
ip-10-10-10-10 = Hostname of generating server
HubSpotService[1408]: = dynamic application (about 20 possibilities here so
far)
HubSpotService@ip-20-20-20-20,
ErrorCode=2300,
ErrorMessage=Network problem, connection unexpectedly closed by peer'
I want to prevent the pre-decoding from processing this the way that it is.
I want to focus on
Extra_data = (HubSpotService)
hostname = (ip-10-10-10-10)
Extra_data = ErrorMessage=(Network problem, connection unexpectedly closed
by peer)'
But I cant seem to write a decoder that gets around the pre-decoding. I am
unable to write a decoder that will match to this event at all, and I have
several that where I am in the same boat.
Jared
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
