tried these with no result: <decoder name="Buffalo-101"> <program_name>kernelmon</program_name> <prematch>^TS5400R33A</prematch> </decoder>
<decoder name="Buffalo-102"> <parent>iptables</parent> <prematch>^TS5400R33A</prematch> </decoder> On Wednesday, April 25, 2018 at 11:34:07 AM UTC-5, Jacob Mcgrath wrote: > > This is the log sent to ossec: > > Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr sdc READ 50030496 1 > > If I run threw logtest i get iptables as the final decoder: > > **Phase 1: Completed pre-decoding. > full event: 'Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr sdc > READ 50030496 1' > hostname: 'TS5400R33A' > program_name: 'kernelmon' > log: 'cmd=ioerr sdc READ 50030496 1' > > **Phase 2: Completed decoding. > decoder: 'iptables' > > > I tried to make other custom decoders using iptables as the parent and or > totally new decoders for this log but it always decodes the same. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
