I believe I've figured it out -- I think the decoder isn't matching the full log string and is thus stripping the ip address information. Also after looking at the regex in the decoder, I've discovered that it doesn't even match against the first three example strings provided:
Here's an example from the comments (After prematch): Security: AUDIT_FAILURE(0x000002A9): Security: SYSTEM: NT AUTHORITY: The logon to account: xyz by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: la failed. The error code was: 3221225572 yet, the regex is: ^\.+: (\w+)\((\d+)\): (\.+): The second (\d+) will only match against numbers, so (0x000002A9) will never match. It should be ([0-9A-Fx]+) Also, why is it escaping the period at the beginning and at the end? shouldn't the regex be: ^.+: (\w+)\((\d+)\): (.+): -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.