On Feb 7, 2017 6:28 AM, "Dominik" <reusser...@gmail.com> wrote:
I would like to write a decoder for a logfile with entries of the following kind: 27.01.2017,09:06:17 [INFO] Engine-Version: 8.3.42.156 27.01.2017,09:06:17 [INFO] VDF-Version: 8.12.150.34 27.01.2017,09:06:17 [INFO] APC-Version: 2.7.1.3 27.01.2017,09:06:17 [INFO] RDF-Version: 14.0.5.76 27.01.2017,09:06:17 [INFO] Echtzeit-Scanner-Version: 15.00.24.143 27.01.2017,09:06:18 [INFO] [ACP] Load Avira Communication Protocol and initialize message broker 27.01.2017,09:06:18 [INFO] [ACP] Publish the ACP activity resource 27.01.2017,09:06:18 [INFO] [ACP] Start of the ACP message broker is triggered 27.01.2017,09:06:18 [INFO] Verwendete Konfiguration der Echtzeit-Scanner: - Geprüfte Dateien: Dateien von lokalen Laufwerken prüfen - Geprüfte Dateien: Dateierweiterungsliste verwenden: .386 .?HT* .ACM .ADE .ADP .ANI .APK .APP .ASD .ASF .ASP .ASX .AWX .AX .BAS .BAT .BIN .BOO .CDF .CHM .CLASS .CMD .CNV .COM .CPL .CPX .CRT .CSH .DEX .DLL .DLO .DO* .DRV .EMF .EML .EXE* .FAS .FLT .FOT .HLP .HT* .INF .INI .INS .ISP .J2K .JAR .JFF .JFI .JFIF .JIF .JMH .JNG .JP2 .JPE .JPEG .JPG .JS* .JSE .LNK .LSP .MD? .MDB .MOD .MS? .NWS .OBJ .OCX .OLB .OSD .OV? .PCD .PDF .PDR .PGM .PHP .PIF .PKG .PL* .PNG .POT* .PPAM .PPS* .PPT* .PRG .RAR .REG .RPL .RTF .SBF .SCR .SCRIPT .SCT .SH .SHA .SHB .SHS .SHTM* .SIS .SLD? .SPL .SWF .SYS .TLB .TSP .TTF .URL .VB? .VCS .VLM .VXD .VXO .WIZ .WLL .WMD .WMF .WMS .WMZ .WPC .WSC .WSF .WSH .WWK .XAR .XL* .XML .XXX .ZIP - Gerätemodus: Datei beim Öffnen durchsuchen, Datei nach Schließen durchsuchen - Aktion: Benutzer fragen - Archive durchsuchen: Deaktiviert - Makrovirenheuristik: Aktiviert - Win32 Dateiheuristik: Erkennungsstufe mittel - Protokollierungsstufe: Standard 27.01.2017,09:06:18 [INFO] Online-Dienste stehen zur Verfügung. 27.01.2017,09:17:04 [INFO] Update-Auftrag gestartet! 27.01.2017,09:17:15 [INFO] --------------------------------------------------------- 27.01.2017,09:17:15 [INFO] Engine-Version: 8.3.42.156 27.01.2017,09:17:15 [INFO] VDF-Version: 8.12.150.78 27.01.2017,09:17:15 [INFO] APC-Version: 2.7.1.3 27.01.2017,09:17:15 [INFO] RDF-Version: 14.0.5.76 27.01.2017,09:17:15 [INFO] Echtzeit-Scanner-Version: 15.00.24.143 27.01.2017,09:27:17 [WARNUNG] Der Zugriff auf die Datei 'H:\autorun.inf' wurde blockiert. Currently, I do not care about the multi-line entries. I managed to write the following decoders, which work fine: <decoder name="aviraInfo"> <prematch>\d\d.\d\d.\d\d\d\d,\d\d:\d\d:\d\d [INFO]</prematch> </decoder> <decoder name="aviraWarnung"> <prematch>\d\d.\d\d.\d\d\d\d,\d\d:\d\d:\d\d [WARNUNG]</prematch> </decoder> I would like to add a parent that matches the date and the time and two child-decoders that distinguish WARNUNG and INFO. However, I was unsuccessful with the following attempt: <decoder name="avira"> <prematch>\d\d.\d\d.\d\d\d\d,\d\d:\d\d:\d\d [</prematch> </decoder> <decoder name="aviraInfo"> <parent>avira</parent> <prematch offset="after_parent">INFO</prematch> </decoder> <decoder name="aviraWarning"> <parent>avira</parent> <prematch offset="after_parent">WARNING</prematch> </decoder> As a result, only the first decoder matches. How do I get this to run? Tanks in advance! Only the parent decoder is mentioned in ossec-logtest. The child decoders might be matching, but it's tough to tell without pulling any fields out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.