Hi I've created two decoders and one is working correctly, but the second isn't.
I can't see where my error is. Can anyone help? Both work off the same parent, so the parent should be fine. Perhaps the slashes are throwing me off? <!-- 2010-04-27 10:28:01,914 WARN [btpool0-1590://localhost/service/soap/AuthRequest] [[email protected];oip=1.2.3.4;ua=zclient/6.0.5_GA_2213.UBUNTU8_64;] security - cmd=Auth; [email protected]; protocol=soap; error=authentication failed for [email protected], account lockout; --> <decoder name="zimbra-audit2"> <parent>zimbra</parent> <regex offset="after_parent">[\S+] [name=\S+;oip=(\d+.\d+.\d+.\d+);\S+;]</regex> <order>srcip</order> </decoder> -- Subscription settings: http://groups.google.com/group/ossec-list/subscribe?hl=en
