Uau!!
Thank you so much, it worked like a charm :)
Pastebin really did the trick :D
Thanks for your time, I'll be around your blog trying to learn how to
write these decoders for myself :)
Vitor
On Oct 23, 4:08 am, "dan (ddp)" wrote:
> Here's the output for ossec-logtest for me:
> # /var/osse
I've been browsing your blog all afternoon, trying to come up with
something. The httpd program line idea came from your blog, but yields
no result.
On Oct 22, 9:09 pm, vcorreia wrote:
> It comes up with the same result with or without that line.
>
> On Oct 22, 8:39 pm, &quo
nd it may work (I can't test at the moment).
>
> On Fri, Oct 22, 2010 at 3:29 PM, vcorreia wrote:
> > No luck.
>
> > I've created the following local_decoder.xml file in /var/ossec/etc:
>
> >
> > ^httpd
> > ^"\.+" "\S+" \
20101012 Firefox/3.6.11"'
**Phase 2: Completed decoding.
No decoder matched.
:(
Vitor Correia
On Oct 22, 7:49 pm, "dan (ddp)" wrote:
> It worked fine for me. Make sure the decoder pasted nicely. It doesn't
> look very nice in gmail to me, and weird newlines m
I did what you said, but on logtest I keep getting this error:
**Phase 2: Completed decoding.
No decoder matched.
Vitor Correia
On Oct 22, 5:02 pm, "dan (ddp)" wrote:
> On Fri, Oct 22, 2010 at 11:35 AM, vcorreia wrote:
> > Hello,
>
> > It looks excelent :)
11) Gecko/20101012 Firefox/3.6.11"'
>
> To write a rule you'd use something like:
>
> PT
> something
>
>
> I'd run a bunch of logs through ossec-logtest to make sure it works on
> all of them and not just the one you posted. But this should be
Hello everyone,
How can I go about writing a decoder/rule to send me an email every
time a log entry like this is registered?
"Vitor Correia" "PT" 89.155.91.201 - - [21/Oct/2010:01:48:13 +0100]
"GET /collect/main/ HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows; U;
Windows NT 6.1; en-US; rv:1.9.2.11