The decoder mentioned earlier sometimes picked the wrong thing. This so far is working well:
<decoder name="ntp-offset"> <parent>ossec</parent> <prematch offset="after_parent">'ntp-alert':\.+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+</prematch> <regex offset="after_prematch">^(\p\d\d\d\d)|(\d\d\d\d)</regex> <order>extra_data</order> </decoder> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
