----- Original Message ----- > Hi > > I've created two decoders and one is working correctly, but the second > isn't. > > I can't see where my error is. Can anyone help? > > Both work off the same parent, so the parent should be fine. Perhaps > the slashes are throwing me off? > > > <!-- > 2010-04-27 10:28:01,914 WARN > [btpool0-1590://localhost/service/soap/AuthRequest] > [[email protected];oip=1.2.3.4;ua=zclient/6.0.5_GA_2213.UBUNTU8_64;] > security - cmd=Auth; [email protected]; protocol=soap; > error=authentication failed for [email protected], account lockout; > --> > > <decoder name="zimbra-audit2"> > <parent>zimbra</parent> <regex offset="after_parent">[\S+] > [name=\S+;oip=(\d+.\d+.\d+.\d+);\S+;]</regex> <order>srcip</order> > </decoder> > Eric,
what are you specifically trying to trap from Zimbra ? I may be able to share some of my rules if you would like. -- Thanks, Phil (uxbod - Zimbra moderator)
