Hallo together, we use OSSEC 1.5 and 1.5.1 with "local" function on a proftpd server and want to track access. We log proftpd events in /var/log/proftpd.log. The ossec.conf is modified on that log-path.
The example in the decoder.xml for proftpd: proftpd[30362] xx.yy.zz (aa.bb.cc[aa.bb.vv.dd]): USER backup: Login successful. is conform with our proftpd-log. Problem: ======== OSSEC doesn't recognise connections on our FTP-Server. It seems that OSSEC doesn't detect that format. When we send the following (including : after proftpd[29395]) echo "Jun 25 08:20:07 server proftpd[12345]: server.home.xyz (2.2.2.2[2.2.2.2]): USER peter: Login successful." >> /var/log/proftpd.log Now OSSEC recognises that :-modified event. We modified the regex in the decoder.xml with ":" to <regex>^: \S+ \(\S+[(\S+)]\)\s*\S \w+ (\S+): </regex> and restart OSSEC but it takes no effect. Where is the problem? What could we do to solve it? --- Thanks a lot Joachim Krais
