On Fri, Oct 11, 2019 at 2:03 PM Diego S <rabits...@gmail.com> wrote: > Im using 2.0 version. >
2.0 is ancient. Not much I can do to help with that. > Im not able to find the syntax error. > > Thanks! > > El vie., 11 oct. 2019 a las 14:51, dan (ddp) (<ddp...@gmail.com>) > escribió: > >> On Fri, Oct 11, 2019 at 1:41 PM Diego S <rabits...@gmail.com> wrote: >> > >> > Thnaks you very much for your response. >> > Let me know if am i wrong. The decoder will be like this: >> > >> > <decoder name="Brocade-format"> >> > <prematch>^\d+\s\w\w\w\w\w, </prematch> >> > </decoder> >> > >> > <decoder name="Brocade-login"> >> > <parent>Brocade-format</parent> >> > <regex offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d >> \(\S+\), \[\S+\], \S+, \S+, /S+)/\S+(/\w+/\S+),</regex> >> > <order>user,second</order> >> > </decoder> >> > >> > <decoder name="squid-accesslog"> >> > <type>squid</type> >> > <prematch>^\d+ \S+ </prematch> >> > <regex>^\d+ (\S+) (\w+)/(\d+) \d+ \w+ (\S+) </regex> >> > <order>srcip,action,id,url</order> >> > </decoder> >> > >> > But im getting a syntax error and i dont know why or where. >> > >> > 2019/10/11 12:05:07 ossec-analysisd(1450): ERROR: Syntax error on >> regex: '^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d\(\S+\), \[\S+\], \S+, \S+, >> (\S+)/\S+(/\w+/\S+)': 6. >> > >> >> I'm not sure what's wrong there. Which version of OSSEC are you using? >> >> > Thanks and regards! >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to ossec-list+unsubscr...@googlegroups.com. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/ossec-list/CAGQH4FLk08YBG4NhaVQ9vG-nB-zF2%2Bo1GwnxSSvRbE62MGH2qA%40mail.gmail.com >> . >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/ossec-list/CAMyQvMpCiBxvjLv5_memm7H%2BFPO4JTeiKGDLqpw72f8RA6dvMw%40mail.gmail.com >> . >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/CAGQH4F%2BqTDKSiMJXBtCWmewR2SR1oDRiTpTwQBB%3Dm21mQrs-Ag%40mail.gmail.com > <https://groups.google.com/d/msgid/ossec-list/CAGQH4F%2BqTDKSiMJXBtCWmewR2SR1oDRiTpTwQBB%3Dm21mQrs-Ag%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMrEQhqC%3D5_ggxQkf8hLExg3iJVG77b9xxp4_YmTB-jt8A%40mail.gmail.com.
