On Fri, Jun 9, 2017 at 11:21 AM, Akash Munjal <akashmunjal...@gmail.com> wrote: > > Hi, > > I create custom decoder, /var/ossec/etc/local_decoder.xml as: > > <decoder name="myapplication"> > <program_name>myapplication</program_name> > <prematch>^myapplication: </prematch> > </decoder> > > > Entry of decoder in manager ossec.conf file as: > > <rules> > <include>local_rules.xml</include> > <decoder>etc/decoder.xml</decoder> > <decoder>etc/local_decoder.xml</decoder> > <decoder_dir>rules/plugins</decoder_dir> > </rules> > > > when i run logtest command it show this: > > > > /var/ossec/bin/ossec-logtest > 2017/06/09 20:08:54 ossec-testrule: INFO: Reading decoder file > etc/decoder.xml. > 2017/06/09 20:08:54 ossec-testrule: INFO: Reading decoder file > etc/local_decoder.xml. > 2017/06/09 20:08:54 ossec-testrule: INFO: Started (pid: 21573). > ossec-testrule: Type one log per line. > > myapplication: This is a test > > > **Phase 1: Completed pre-decoding. > full event: 'myapplication: This is a test' > hostname: 'ip-x.x.x.x' > program_name: '(null)'
In your decoder you had program_name equal to myapplication. This is not how the event was decoded. > log: 'myapplication: This is a test' > > **Phase 2: Completed decoding. > No decoder matched. > > #### I follow this link as below: > > https://www.alienvault.com/documentation/usm-appliance/ids-configuration/process-reading-log-file-with-hids-agent-windows.htm > > > Anyone can help me out in this. > > Thanks....... > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.