Decoder configuration error
24 views
Skip to first unread message
repquota
Jun 17, 2016, 12:46:21 PM6/17/16
to ossec-list
Hi guys,
I have a trouble nn local_decoder.xml file I have something like this:
<decoder name="freeradius">
<program_name>^freeradius</program_name>
</decoder>
<decoder name="freeradius_stop">
<parent>freeradius</parent>
<prematch>^Stopping</prematch>
<regex offset="after_prematch">^ FreeRADIUS\s(\S+)\s(\S+)</regex>
</decoder>
<decoder name="freeradius_start">
<parent>freeradius</parent>
<prematch>^Starting</prematch>
<regex offset="after_prematch">^ FreeRADIUS\s(\S+)\s(\S+)</regex>
</decoder>
and when I restarted ossec in logs I see :
2016/06/17 13:40:29 ossec-analysisd(2107): ERROR: Decoder configuration error: 'freeradius_stop'.
2016/06/17 13:40:29 ossec-testrule(1202): ERROR: Configuration error at '/etc/local_decoder.xml'. Exiting.
I created this decoder for this logs:
2016 Jun 16 16:44:26 (radius) 172.16.12.135->/var/log/syslog Jun 16 16:44:24 radius freeradius[29059]: Stopping FreeRADIUS daemon: freeradius.
2016 Jun 16 16:44:26 (radius) 172.16.12.135->/var/log/syslog Jun 16 16:44:24 radius freeradius[29063]: Starting FreeRADIUS daemon: freeradius.
Anybody has problem like this ?
I checked ossec-control file and script is ok.
dan (ddp)
Jun 17, 2016, 12:53:44 PM6/17/16
to ossec...@googlegroups.com
On Fri, Jun 17, 2016 at 12:44 PM, repquota <bartos...@gmail.com> wrote:
> Hi guys,
> I have a trouble nn local_decoder.xml file I have something like this:
>
> <decoder name="freeradius">
> <program_name>^freeradius</program_name>
> </decoder>
>
> <decoder name="freeradius_stop">
> <parent>freeradius</parent>
> <prematch>^Stopping</prematch>
> <regex offset="after_prematch">^ FreeRADIUS\s(\S+)\s(\S+)</regex>
You need an <order> here and in the following decoder.
> Hi guys,
> I have a trouble nn local_decoder.xml file I have something like this:
>
> <decoder name="freeradius">
> <program_name>^freeradius</program_name>
> </decoder>
>
> <decoder name="freeradius_stop">
> <parent>freeradius</parent>
> <prematch>^Stopping</prematch>
> <regex offset="after_prematch">^ FreeRADIUS\s(\S+)\s(\S+)</regex>
> </decoder>
>
> <decoder name="freeradius_start">
> <parent>freeradius</parent>
> <prematch>^Starting</prematch>
> <regex offset="after_prematch">^ FreeRADIUS\s(\S+)\s(\S+)</regex>
> </decoder>
>
> and when I restarted ossec in logs I see :
>
> 2016/06/17 13:40:29 ossec-analysisd(2107): ERROR: Decoder configuration
> error: 'freeradius_stop'.
> 2016/06/17 13:40:29 ossec-testrule(1202): ERROR: Configuration error at
> '/etc/local_decoder.xml'. Exiting.
>
> I created this decoder for this logs:
>
> 2016 Jun 16 16:44:26 (radius) 172.16.12.135->/var/log/syslog Jun 16 16:44:24
> radius freeradius[29059]: Stopping FreeRADIUS daemon: freeradius.
> 2016 Jun 16 16:44:26 (radius) 172.16.12.135->/var/log/syslog Jun 16 16:44:24
> radius freeradius[29063]: Starting FreeRADIUS daemon: freeradius.
>
> Anybody has problem like this ?
>
> I checked ossec-control file and script is ok.
>
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
repquota
Jun 20, 2016, 5:02:03 AM6/20/16
to ossec-list
Hi Dan, you have right, <order> resolve my problem !! thanks!!
Reply all
Reply to author
Forward
0 new messages