[ossec-list] Re: multiple OSSEC decoders on the same event has some problem
now, i wrote like this rsyslog-pstats ^main\sQ rsyslog-pstats-main ^\.*discarded\pfull=(\d+)\.* extra_data rsyslog-pstats-main ^\.*discarded\pnf=(\d+)\.* extra_data but server say 2013/03/05 12:27:03 ossec-analysisd(2101): ERROR: Parent decoder name invalid: 'rsyslog-pstats-main'. 2013/03/05 12:27:03 ossec-analysisd(2106): ERROR: Error adding decoder plugin. 2013/03/05 12:27:03 ossec-testrule(1202): ERROR: Configuration error at '/etc/decoder.xml'. Exiting. 2013/03/05 12:28:13 ossec-syscheckd: INFO: Starting syscheck scan. thanks&Best Regards From: root Date: 2013-03-04 12:43 To: ossec-list Subject: multiple OSSEC decoders on the same event has some problem hi,all now,i want match this event 2013-03-04T12:39:54.901160+08:00 localhost rsyslogd-pstats: imudp(*:514): submitted=0 2013-03-04T12:39:54.901163+08:00 localhost rsyslogd-pstats: imudp(*:514): submitted=0 2013-03-04T12:39:54.901167+08:00 localhost rsyslogd-pstats: main Q: size=11 enqueued=13130 full=0 discarded.full=0 discarded.nf=0 maxqsize=1441 2013-03-04T12:40:04.906896+08:00 localhost rsyslogd-pstats: imuxsock: submitted=1568 ratelimit.discarded=0 ratelimit.numratelimiters=0 2013-03-04T12:40:04.906918+08:00 localhost rsyslogd-pstats: action 1: processed=10116 failed=0 2013-03-04T12:40:04.906921+08:00 localhost rsyslogd-pstats: action 2: processed=2393 failed=0 2013-03-04T12:40:04.906923+08:00 localhost rsyslogd-pstats: action 3: processed=35 failed=0 2013-03-04T12:40:04.906925+08:00 localhost rsyslogd-pstats: action 4: processed=2 failed=0 2013-03-04T12:40:04.906926+08:00 localhost rsyslogd-pstats: action 5: processed=32 failed=0 2013-03-04T12:40:04.906928+08:00 localhost rsyslogd-pstats: action 6: processed=0 failed=0 2013-03-04T12:40:04.906930+08:00 localhost rsyslogd-pstats: action 7: processed=0 failed=0 2013-03-04T12:40:04.906931+08:00 localhost rsyslogd-pstats: action 8: processed=0 failed=0 i want match the all of the "failed" or "discarded" value my decoder like this ^rsyslogd-pstats rsyslog-pstats ^action\s\d+ ^\.*failed=(\d+) extra_data rsyslog-pstats ^main\sQ rsyslog-pstats-discarded ^\.*discarded\pfull=(\d+)\.* extra_data rsyslog-pstats-discarded ^\.*discarded\pnf=(\d+)\.* extra_data but,ossec say 2013/03/04 12:35:47 ossec-analysisd(2107): ERROR: Decoder configuration error: 'rsyslog-pstats-discarded-full'. 2013/03/04 12:35:47 ossec-testrule(1202): ERROR: Configuration error at '/etc/decoder.xml'. Exiting. i think this part has problem,but i do not kown why and how? rsyslog-pstats-discarded ^\.*discarded\pfull=(\d+)\.* extra_data rsyslog-pstats-discarded ^\.*discarded\pnf=(\d+)\.* extra_data thanks&Best Regards -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Re: multiple OSSEC decoders on the same event has some problem
On Mon, Mar 4, 2013 at 11:30 PM, root wrote: > > now, i wrote like this > > > > > > rsyslog-pstats > ^main\sQ > > > > > rsyslog-pstats-main > ^\.*discarded\pfull=(\d+)\.* > extra_data > > > > rsyslog-pstats-main > ^\.*discarded\pnf=(\d+)\.* > extra_data > > > > but server say > > 2013/03/05 12:27:03 ossec-analysisd(2101): ERROR: Parent decoder name > invalid: 'rsyslog-pstats-main'. My guess would be that a child cannot be a parent. > 2013/03/05 12:27:03 ossec-analysisd(2106): ERROR: Error adding decoder > plugin. > 2013/03/05 12:27:03 ossec-testrule(1202): ERROR: Configuration error at > '/etc/decoder.xml'. Exiting. > 2013/03/05 12:28:13 ossec-syscheckd: INFO: Starting syscheck scan. > > > > > > thanks&Best Regards > > From: root > Date: 2013-03-04 12:43 > To: ossec-list > Subject: multiple OSSEC decoders on the same event has some problem > hi,all > > now,i want match this event > > 2013-03-04T12:39:54.901160+08:00 localhost rsyslogd-pstats: imudp(*:514): > submitted=0 > 2013-03-04T12:39:54.901163+08:00 localhost rsyslogd-pstats: imudp(*:514): > submitted=0 > 2013-03-04T12:39:54.901167+08:00 localhost rsyslogd-pstats: main Q: size=11 > enqueued=13130 full=0 discarded.full=0 discarded.nf=0 maxqsize=1441 > 2013-03-04T12:40:04.906896+08:00 localhost rsyslogd-pstats: imuxsock: > submitted=1568 ratelimit.discarded=0 ratelimit.numratelimiters=0 > 2013-03-04T12:40:04.906918+08:00 localhost rsyslogd-pstats: action 1: > processed=10116 failed=0 > 2013-03-04T12:40:04.906921+08:00 localhost rsyslogd-pstats: action 2: > processed=2393 failed=0 > 2013-03-04T12:40:04.906923+08:00 localhost rsyslogd-pstats: action 3: > processed=35 failed=0 > 2013-03-04T12:40:04.906925+08:00 localhost rsyslogd-pstats: action 4: > processed=2 failed=0 > 2013-03-04T12:40:04.906926+08:00 localhost rsyslogd-pstats: action 5: > processed=32 failed=0 > 2013-03-04T12:40:04.906928+08:00 localhost rsyslogd-pstats: action 6: > processed=0 failed=0 > 2013-03-04T12:40:04.906930+08:00 localhost rsyslogd-pstats: action 7: > processed=0 failed=0 > 2013-03-04T12:40:04.906931+08:00 localhost rsyslogd-pstats: action 8: > processed=0 failed=0 > > i want match the all of the "failed" or "discarded" value > > > my decoder like this > > > > > ^rsyslogd-pstats > > > > > rsyslog-pstats > ^action\s\d+ > ^\.*failed=(\d+) > extra_data > > > > > rsyslog-pstats > ^main\sQ > > > > rsyslog-pstats-discarded > ^\.*discarded\pfull=(\d+)\.* > extra_data > > > > rsyslog-pstats-discarded > ^\.*discarded\pnf=(\d+)\.* > extra_data > > > > > but,ossec say > > 2013/03/04 12:35:47 ossec-analysisd(2107): ERROR: Decoder configuration > error: 'rsyslog-pstats-discarded-full'. > 2013/03/04 12:35:47 ossec-testrule(1202): ERROR: Configuration error at > '/etc/decoder.xml'. Exiting. > > i think this part has problem,but i do not kown why and how? > > > rsyslog-pstats-discarded > ^\.*discarded\pfull=(\d+)\.* > extra_data > > > > rsyslog-pstats-discarded > ^\.*discarded\pnf=(\d+)\.* > extra_data > > > > > > > thanks&Best Regards > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Re: multiple OSSEC decoders on the same event has some problem
^rsyslogd-pstats rsyslog-pstats ^\S+\p\S+:\d+\p: submitted= ^(\d+) extra_data rsyslog-pstats ^main Q: ^\.+ discarded.full=(\d+) discarded.nf=(\d+) extra_data, extra_data rsyslog-pstats ^action ^(\d+): processed=(\d+) failed=(\d+) action, extra_data, extra_data On Tue, Mar 5, 2013 at 6:21 PM, dan (ddp) wrote: > On Mon, Mar 4, 2013 at 11:30 PM, root wrote: >> >> now, i wrote like this >> >> >> >> >> >> rsyslog-pstats >> ^main\sQ >> >> >> >> >> rsyslog-pstats-main >> ^\.*discarded\pfull=(\d+)\.* >> extra_data >> >> >> >> rsyslog-pstats-main >> ^\.*discarded\pnf=(\d+)\.* >> extra_data >> >> >> >> but server say >> >> 2013/03/05 12:27:03 ossec-analysisd(2101): ERROR: Parent decoder name >> invalid: 'rsyslog-pstats-main'. > > My guess would be that a child cannot be a parent. > >> 2013/03/05 12:27:03 ossec-analysisd(2106): ERROR: Error adding decoder >> plugin. >> 2013/03/05 12:27:03 ossec-testrule(1202): ERROR: Configuration error at >> '/etc/decoder.xml'. Exiting. >> 2013/03/05 12:28:13 ossec-syscheckd: INFO: Starting syscheck scan. >> >> >> >> >> >> thanks&Best Regards >> >> From: root >> Date: 2013-03-04 12:43 >> To: ossec-list >> Subject: multiple OSSEC decoders on the same event has some problem >> hi,all >> >> now,i want match this event >> >> 2013-03-04T12:39:54.901160+08:00 localhost rsyslogd-pstats: imudp(*:514): >> submitted=0 >> 2013-03-04T12:39:54.901163+08:00 localhost rsyslogd-pstats: imudp(*:514): >> submitted=0 >> 2013-03-04T12:39:54.901167+08:00 localhost rsyslogd-pstats: main Q: size=11 >> enqueued=13130 full=0 discarded.full=0 discarded.nf=0 maxqsize=1441 >> 2013-03-04T12:40:04.906896+08:00 localhost rsyslogd-pstats: imuxsock: >> submitted=1568 ratelimit.discarded=0 ratelimit.numratelimiters=0 >> 2013-03-04T12:40:04.906918+08:00 localhost rsyslogd-pstats: action 1: >> processed=10116 failed=0 >> 2013-03-04T12:40:04.906921+08:00 localhost rsyslogd-pstats: action 2: >> processed=2393 failed=0 >> 2013-03-04T12:40:04.906923+08:00 localhost rsyslogd-pstats: action 3: >> processed=35 failed=0 >> 2013-03-04T12:40:04.906925+08:00 localhost rsyslogd-pstats: action 4: >> processed=2 failed=0 >> 2013-03-04T12:40:04.906926+08:00 localhost rsyslogd-pstats: action 5: >> processed=32 failed=0 >> 2013-03-04T12:40:04.906928+08:00 localhost rsyslogd-pstats: action 6: >> processed=0 failed=0 >> 2013-03-04T12:40:04.906930+08:00 localhost rsyslogd-pstats: action 7: >> processed=0 failed=0 >> 2013-03-04T12:40:04.906931+08:00 localhost rsyslogd-pstats: action 8: >> processed=0 failed=0 >> >> i want match the all of the "failed" or "discarded" value >> >> >> my decoder like this >> >> >> >> >> ^rsyslogd-pstats >> >> >> >> >> rsyslog-pstats >> ^action\s\d+ >> ^\.*failed=(\d+) >> extra_data >> >> >> >> >> rsyslog-pstats >> ^main\sQ >> >> >> >> rsyslog-pstats-discarded >> ^\.*discarded\pfull=(\d+)\.* >> extra_data >> >> >> >> rsyslog-pstats-discarded >> ^\.*discarded\pnf=(\d+)\.* >> extra_data >> >> >> >> >> but,ossec say >> >> 2013/03/04 12:35:47 ossec-analysisd(2107): ERROR: Decoder configuration >> error: 'rsyslog-pstats-discarded-full'. >> 2013/03/04 12:35:47 ossec-testrule(1202): ERROR: Configuration error at >> '/etc/decoder.xml'. Exiting. >> >> i think this part has problem,but i do not kown why and how? >> >> >> rsyslog-pstats-discarded >> ^\.*discarded\pfull=(\d+)\.* >> extra_data >> >> >> >> rsyslog-pstats-discarded >> ^\.*discarded\pnf=(\d+)\.* >> extra_data >> >> >> >> >> >> >> thanks&Best Regards >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
