Hi Dave, that happens. Maybe I didn't explain it very well.
Just add a prematch to the USB decoder in kernel-iptables_apparmor_decoders.xml <https://github.com/wazuh/ossec-rules/commit/48db55be1917596f9de69a0d7e5efabe8d1dadd0> and use this decoder in your local_decoder file: <decoder name="local_iptables"> <parent>iptables</parent> <prematch>^[\s*\d+.\d+] ipt:</prematch> <regex offset="after_prematch">(\S+): in=\.+ src=(\S+) dst=(\S+) </regex> <order>action,srcip,dstip</order> </decoder> I'm glad to help!. Regards. On Wednesday, May 25, 2016 at 4:35:19 AM UTC+2, Dave Vehrs wrote: > > Oh and if I follow the links in your reply you have already shown me the > prematch to add! > > It's days like this that I almost feel like a blind man, the answer was > there for me all! > > It's now all working and I will take the lesson to slow down to read & > consider what is said in the replies before I rush off in some attempted > fix. > > Thanks again! > > Dave > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
