Hi all, have problem with dovecot decoder
Example log: Dec 19 17:20:08 ny dovecot: pop3-login: Aborted login (auth failed, 2 attempts in 18 secs): user=<test>, method=PLAIN, rip=1.2.3.4, lip=1.2.3.4, session=<i8uMIAZEDrdtycjJ> Default dovecot decoder <decoder name="dovecot-aborted"> <parent>dovecot</parent> <prematch offset="after_parent">^\w\w\w\w-login: Aborted login</prematch> <regex offset="after_prematch">: user=\p(\S+)\p, method=\S+, rip=::ffff:(\d+.\d+.\d+.\d+), lip=::ffff:(\d+.\d+.\d+.\d+)$</regex> <order>user, srcip, dstip</order> </decoder> Is it possible to create additional decoder that extracts same fields as in the above decoder if regex tag not matches but prematch was matched? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.