Add it to the end of /var/ossec/etc/decoder.xml and try again. It should complain that there is a duplicate decoder. If not, for some reason it's not reading your local_decoder.xml. If it does and the log isn't matching, something's wrong with the decoder.
On Fri, Oct 22, 2010 at 4:12 PM, vcorreia <[email protected]> wrote: > I've been browsing your blog all afternoon, trying to come up with > something. The httpd program line idea came from your blog, but yields > no result. >
