Giles, I sympathize. I've been having uneven results with ossec-logtest myself. http://groups.google.com/group/ossec-list/browse_thread/thread/062dc5bf32a1a4fe
If I understand correctly, <prematch> doesn't actually extract any fields, it's used to decide if the input is appropriate to the decoder. For example, a prematch would help to prevent a syslog decoder from processing an event from, say, a Windows event log by mistake. Only the regex extracts the fields. Couple things to try re. your regex expression: try escaping the colons like \: For some evaluators the colon is a special character. Also you could try *not* escaping the forward slashes. Some evaluators complain if you escape characters that don't need to be. That's my two cents, Dave
