Hi,
I create custom decoder, /var/ossec/etc/local_decoder.xml as:
<decoder name="myapplication">
<program_name>myapplication</program_name>
<prematch>^myapplication: </prematch>
</decoder>
Entry of decoder in manager ossec.conf file as:
<rules>
<include>local_rules.xml</include>
<decoder>etc/decoder.xml</decoder>
<decoder>etc/local_decoder.xml</decoder>
<decoder_dir>rules/plugins</decoder_dir>
</rules>
when i run logtest command it show this:
/var/ossec/bin/ossec-logtest
2017/06/09 20:08:54 ossec-testrule: INFO: Reading decoder file
etc/decoder.xml.
2017/06/09 20:08:54 ossec-testrule: INFO: Reading decoder file
etc/local_decoder.xml.
2017/06/09 20:08:54 ossec-testrule: INFO: Started (pid: 21573).
ossec-testrule: Type one log per line.
myapplication: This is a test
**Phase 1: Completed pre-decoding.
full event: 'myapplication: This is a test'
hostname: 'ip-x.x.x.x'
program_name: '(null)'
log: 'myapplication: This is a test'
**Phase 2: Completed decoding.
No decoder matched.
#### I follow this link as below:
https://www.alienvault.com/documentation/usm-appliance/ids-configuration/process-reading-log-file-with-hids-agent-windows.htm
Anyone can help me out in this.
Thanks.......
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
