Thank you very much Dave and Dan! I guess I was trying too hard. LOL Everything is working great with ossec.
Thanks so much to everyone involved with this project. I LOVE this program!!! ************* Hi Eric, First off, your entire regex is enclosed in square brackets which is incorrect. I'd try simplifying the regular expression to something like <regex offset="after_parent">oip=(\d+.\d+.\d+.\d+);</regex> Try that, Dave ************* I can't test this at the moment, so be gentle. ;) Is oip= always an IP? If so, you could cut out a lot of the complexity by doing something like: <regex>oip=(\d+.\d+.\d+.\d+);</regex> If that works, you can then build up anything else you want around it. Get the important stuff working, and make the regex more specific afterwards. Also, the order of the decoders is important. I've gotten things to work before by moving them around a bit.
