On Feb 7, 2017 6:28 AM, "Dominik" <reusser...@gmail.com> wrote:

I would like to write a decoder for a logfile with entries of the following
kind:


27.01.2017,09:06:17 [INFO] Engine-Version:  8.3.42.156
27.01.2017,09:06:17 [INFO] VDF-Version:  8.12.150.34
27.01.2017,09:06:17 [INFO] APC-Version:  2.7.1.3
27.01.2017,09:06:17 [INFO] RDF-Version:  14.0.5.76
27.01.2017,09:06:17 [INFO] Echtzeit-Scanner-Version: 15.00.24.143
27.01.2017,09:06:18 [INFO] [ACP] Load Avira Communication Protocol and
initialize message broker
27.01.2017,09:06:18 [INFO] [ACP] Publish the ACP activity resource
27.01.2017,09:06:18 [INFO] [ACP] Start of the ACP message broker is triggered
27.01.2017,09:06:18 [INFO] Verwendete Konfiguration der Echtzeit-Scanner:
      - Geprüfte Dateien: Dateien von lokalen Laufwerken prüfen
      - Geprüfte Dateien: Dateierweiterungsliste verwenden: .386 .?HT*
.ACM .ADE .ADP .ANI .APK .APP .ASD .ASF .ASP .ASX .AWX .AX .BAS .BAT
.BIN .BOO .CDF .CHM .CLASS .CMD .CNV .COM .CPL .CPX .CRT .CSH .DEX
.DLL .DLO .DO* .DRV .EMF .EML .EXE* .FAS .FLT .FOT .HLP .HT* .INF .INI
.INS .ISP .J2K .JAR .JFF .JFI .JFIF .JIF .JMH .JNG .JP2 .JPE .JPEG
.JPG .JS* .JSE .LNK .LSP .MD? .MDB .MOD .MS? .NWS .OBJ .OCX .OLB .OSD
.OV? .PCD .PDF .PDR .PGM .PHP .PIF .PKG .PL* .PNG .POT* .PPAM .PPS*
.PPT* .PRG .RAR .REG .RPL .RTF .SBF .SCR .SCRIPT .SCT .SH .SHA .SHB
.SHS .SHTM* .SIS .SLD? .SPL .SWF .SYS .TLB .TSP .TTF .URL .VB? .VCS
.VLM .VXD .VXO .WIZ .WLL .WMD .WMF .WMS .WMZ .WPC .WSC .WSF .WSH .WWK
.XAR .XL* .XML .XXX .ZIP
      - Gerätemodus: Datei beim Öffnen durchsuchen, Datei nach
Schließen durchsuchen
      - Aktion: Benutzer fragen
      - Archive durchsuchen: Deaktiviert
      - Makrovirenheuristik: Aktiviert
      - Win32 Dateiheuristik: Erkennungsstufe mittel
      - Protokollierungsstufe: Standard
27.01.2017,09:06:18 [INFO] Online-Dienste stehen zur Verfügung.
27.01.2017,09:17:04 [INFO] Update-Auftrag gestartet!
27.01.2017,09:17:15 [INFO]
---------------------------------------------------------
27.01.2017,09:17:15 [INFO] Engine-Version:  8.3.42.156
27.01.2017,09:17:15 [INFO] VDF-Version:  8.12.150.78
27.01.2017,09:17:15 [INFO] APC-Version:  2.7.1.3
27.01.2017,09:17:15 [INFO] RDF-Version:  14.0.5.76
27.01.2017,09:17:15 [INFO] Echtzeit-Scanner-Version: 15.00.24.143
27.01.2017,09:27:17 [WARNUNG] Der Zugriff auf die Datei
'H:\autorun.inf' wurde blockiert.



Currently, I do not care about the multi-line entries.

I managed to write the following decoders, which work fine:
<decoder name="aviraInfo">
  <prematch>\d\d.\d\d.\d\d\d\d,\d\d:\d\d:\d\d [INFO]</prematch>
</decoder>
<decoder name="aviraWarnung">
  <prematch>\d\d.\d\d.\d\d\d\d,\d\d:\d\d:\d\d [WARNUNG]</prematch>
</decoder>

I would like to add a parent that matches the date and the time and two
child-decoders that distinguish WARNUNG and INFO. However, I was
unsuccessful with the following attempt:

<decoder name="avira">
  <prematch>\d\d.\d\d.\d\d\d\d,\d\d:\d\d:\d\d [</prematch>
</decoder>

<decoder name="aviraInfo">
  <parent>avira</parent>
  <prematch offset="after_parent">INFO</prematch>
</decoder>
<decoder name="aviraWarning">
  <parent>avira</parent>
  <prematch offset="after_parent">WARNING</prematch>
</decoder>

As a result, only the first decoder matches. How do I get this to run?
Tanks in advance!


Only the parent decoder is mentioned in ossec-logtest. The child decoders
might be matching, but it's tough to tell without pulling any fields out.



-- 

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to