I believe I've figured it out -- I think the decoder isn't matching the 
full log string and is thus stripping the ip address information.  Also 
after looking at the regex in the decoder, I've discovered that it doesn't 
even match against the first three example strings provided:

Here's an example from the comments (After prematch):
Security: AUDIT_FAILURE(0x000002A9): Security: SYSTEM: NT AUTHORITY: The 
logon to account: xyz by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from 
workstation: la failed. The error code was: 3221225572

yet, the regex is:
^\.+: (\w+)\((\d+)\): (\.+): 

The second (\d+) will only match against numbers, so (0x000002A9) will 
never match.  It should be ([0-9A-Fx]+)

Also, why is it escaping the period at the beginning and at the end? 
 shouldn't the regex be:
^.+: (\w+)\((\d+)\): (.+):

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to