I can't test this at the moment, so be gentle. ;) Is oip= always an IP? If so, you could cut out a lot of the complexity by doing something like: <regex>oip=(\d+.\d+.\d+.\d+);</regex> If that works, you can then build up anything else you want around it. Get the important stuff working, and make the regex more specific afterwards. Also, the order of the decoders is important. I've gotten things to work before by moving them around a bit.
On Tue, Apr 27, 2010 at 11:03 AM, Eric B. Biondi <[email protected]> wrote: > Hi > > I've created two decoders and one is working correctly, but the second > isn't. > > I can't see where my error is. Can anyone help? > > Both work off the same parent, so the parent should be fine. Perhaps the > slashes are throwing me off? > > > <!-- > 2010-04-27 10:28:01,914 WARN > [btpool0-1590://localhost/service/soap/AuthRequest] > [[email protected];oip=1.2.3.4;ua=zclient/6.0.5_GA_2213.UBUNTU8_64;] > security - cmd=Auth; [email protected]; protocol=soap; > error=authentication failed for [email protected], account lockout; > --> > > <decoder name="zimbra-audit2"> > <parent>zimbra</parent> > <regex offset="after_parent">[\S+] > [name=\S+;oip=(\d+.\d+.\d+.\d+);\S+;]</regex> > <order>srcip</order> > </decoder> > > > > > > -- > Subscription settings: > http://groups.google.com/group/ossec-list/subscribe?hl=en >
