[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: [ossec-list] Predecoder question
From: Bill Price <billprice0052005 () gmail ! com>
Date: 2014-12-30 16:17:30
Message-ID: e0b49127-db23-494b-a905-3ece7342c91f () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
I am trying to add some rules for our esxi 5.5 servers. Im am seeing some
predecoder behaviour I dont understand. in two nearly identical messages
the precoder give me different results
For the following message
2014-12-30T06:39:20.007Z cpu16:747537)World: 14302: VC opID hostd-b7af maps
to vmkernel opID 7905d78d
the precoder returns
**Phase 1: Completed pre-decoding.
full event: '2014-12-30T06:39:20.007Z cpu16:747537)World: 14302: VC
opID hostd-b7af maps to vmkernel opID 7905d78d'
hostname: 'SawMill'
program_name: '(null)'
log: '2014-12-30T06:39:20.007Z cpu16:747537)World: 14302: VC opID
hostd-b7af maps to vmkernel opID 7905d78d'
However if there is only a single digit after the "cpu" string such as the
following message that is identical to the first except for "cpu16" ->
"cpu6"
2014-12-30T06:39:20.007Z cpu6:747537)World: 14302: VC opID hostd-b7af maps
to vmkernel opID 7905d78d
**Phase 1: Completed pre-decoding.
full event: '2014-12-30T06:39:20.007Z cpu6:747537)World: 14302: VC
opID hostd-b7af maps to vmkernel opID 7905d78d'
hostname: 'SawMill'
program_name: '7537)World'
log: '14302: VC opID hostd-b7af maps to vmkernel opID 7905d78d'
Any recommendations to get consistent behaviour ? Any recomendations on
ESXI messages?
Bill
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[Attachment #5 (text/html)]
<div dir="ltr">I am trying to add some rules for our esxi 5.5 servers. Im am \
seeing some predecoder behaviour I dont understand. in two nearly identical messages \
the precoder give me different results<br><br>For the following \
message<br>2014-12-30T06:39:20.007Z cpu16:747537)World: 14302: VC opID hostd-b7af \
maps to vmkernel opID 7905d78d<br><br>the precoder returns<br><br>**Phase 1: \
Completed pre-decoding.<br> full event: \
'2014-12-30T06:39:20.007Z cpu16:747537)World: 14302: VC opID hostd-b7af maps to \
vmkernel opID 7905d78d'<br> hostname: \
'SawMill'<br> program_name: \
'(null)'<br> log: '2014-12-30T06:39:20.007Z \
cpu16:747537)World: 14302: VC opID hostd-b7af maps to vmkernel opID \
7905d78d'<br><br>However if there is only a single digit after the "cpu" string such \
as the following message that is identical to the first except for "cpu16" -> \
"cpu6"<br><br> 2014-12-30T06:39:20.007Z cpu6:747537)World: 14302: VC opID \
hostd-b7af maps to vmkernel opID 7905d78d<br><br>**Phase 1: Completed \
pre-decoding.<br> full event: \
'2014-12-30T06:39:20.007Z cpu6:747537)World: 14302: VC opID hostd-b7af maps to \
vmkernel opID 7905d78d'<br> hostname: \
'SawMill'<br> program_name: \
'7537)World'<br> log: '14302: VC opID hostd-b7af \
maps to vmkernel opID 7905d78d'<br><br>Any recommendations to get consistent \
behaviour ? Any recomendations on ESXI messages?<br><br>Bill<br><br></div>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
------=_Part_277_781768883.1419956250302--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic