On Wed, Apr 25, 2018, 1:11 PM dan (ddp) <ddp...@gmail.com> wrote: > > > On Wed, Apr 25, 2018, 12:37 PM Jacob Mcgrath <jacob.xtrememe...@gmail.com> > wrote: > >> tried these with no result: >> >> <decoder name="Buffalo-101"> >> <program_name>kernelmon</program_name> >> <prematch>^TS5400R33A</prematch> >> </decoder> >> >> <decoder name="Buffalo-102"> >> <parent>iptables</parent> >> <prematch>^TS5400R33A</prematch> >> </decoder> >> >> > The parent decoder will always be displayed. For your decoders to really > do anything, they will need to pull out some data into fields (regex and > order). > > Also, I think prematch only works on the log message, not the metadata.
> >> >> On Wednesday, April 25, 2018 at 11:34:07 AM UTC-5, Jacob Mcgrath wrote: >>> >>> This is the log sent to ossec: >>> >>> Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr sdc READ 50030496 1 >>> >>> If I run threw logtest i get iptables as the final decoder: >>> >>> **Phase 1: Completed pre-decoding. >>> full event: 'Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr sdc >>> READ 50030496 1' >>> hostname: 'TS5400R33A' >>> program_name: 'kernelmon' >>> log: 'cmd=ioerr sdc READ 50030496 1' >>> >>> **Phase 2: Completed decoding. >>> decoder: 'iptables' >>> >>> >>> I tried to make other custom decoders using iptables as the parent and >>> or totally new decoders for this log but it always decodes the same. >>> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
