Hi Peter, Change the first iptables-2 decoder to be like:
<decoder name="iptables-2"> <parent>iptables</parent> <type>firewall</type> <prematch>^\S+ \S+ \d+ IN=</prematch> <regex>^\S+ (\S+) \.+ SRC=(\S+) DST=(\S+) \.+ </regex> <regex>PROTO=(\w+) </regex> <order>action,srcip,dstip,protocol</order> </decoder> Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Dec 3, 2007 9:27 AM, Peter M. Abraham <[EMAIL PROTECTED]> wrote: > > Greetings Daniel: > > Thank you for this help, and your regular and timely help for ossec > > I'm not able to change the formatting at present; we use Bastille for > Linux, and I'm not sure (at present) what hacking I can get away with > in that area. > > What would I change in the decode to support multiple spaces? > > thank you. >
