Hi Yongyoot, You can use \t for tabs or \s+ for multiple spaces. In this case it looks like a tab. Also, since it is one log per line, you can just set the <log_format> to syslog, which supports any log that is stored as one entry per line.
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Thu, Jun 19, 2008 at 6:37 AM, rMing <[EMAIL PROTECTED]> wrote: > > I try to decode "Exchange 2003 Message Tracking " > the format like this: > # Message Tracking Log File > # Exchange System Attendant Version 6.5.6944.0 > # Date Time client-ip Client-hostname Partner-Name > Server-hostname > server-IP Recipient-Address Event-ID MSGID Priority > Recipient-Report- > Status total-bytes Number-Recipients Origination-Time > Encryption > service-Version Linked-MSGID Message-Subject Sender-Address > > > 2008-6-19 23:6:36 GMT 192.168.2.200 notify.ossec.net - > 2K3R2 > 192.168.2.110 [EMAIL PROTECTED] 1019 > [EMAIL PROTECTED] 0 0 393 1 2008-6-19 > 23:6:35 GMT 0 Version: 6.0.3790.3959 - OSSEC Notification - > ossec - > Alert level 3 [EMAIL PROTECTED] - > > 2008-6-19 23:6:45 GMT 192.168.2.200 notify.ossec.net - > 2K3R2 > 192.168.2.110 [EMAIL PROTECTED] 1033 > [EMAIL PROTECTED] 0 0 393 1 2008-6-19 > 23:6:35 GMT 0 Version: 6.0.3790.3959 - OSSEC Notification - > ossec - > Alert level 3 [EMAIL PROTECTED] - > > ####################################################################################### > > But i have some problem: > 1) the Message-Subject, i can not defined it. it have some of space, > and the number of space is vary. > 2) can i use <TAB> to seperate the colume? (instread \s+) > 3) Client side, which is <log_format> that i should select? > > Thankyou, > Yongyoot >
