Hi, Trying to configure OSSEC for our mail server I noticed that our postfix log format is different from what ossec expects with the default rules.
The postfix-reject decoder reads the source ip and and an error id, but in our logs there is also a port present (instead of "[x.x.x.x]: id" we have "[ip]:port: id"). Here is an (shortened) example log entry: Apr 18 09:31:42 server postfix/postscreen[13433]: NOQUEUE: reject: RCPT from [x.x.x.x]:9011: 550 5.7.1 Service unavailable; client [ip] blocked using ... I now tried to overwrite the "postfix-reject" decoder locally (I hesitated to modify it directly because I thought updates would overwrite the decoder file). The problem is, that decoders can't have the same name and there is no "overwrite" option as there is for rules. Adding another decoder and overwriting rule 3300 (Grouping of the postfix reject rules.) also showed no effect, probably because the old decoder matches before any decoder in "local-decoders.xml" has a chance to match the log entry. Is it correct that I should try not to change the shipped decoders/rule but create my own ones? And is there a way to overwrite a decoder (or have I completely missed some different way to solve this problem)? I hope this is the correct list to ask this question and thank you for any ideas. Regards, Tobias Margiani -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
