Hi, On Tue, Dec 28, 2010 at 5:53 AM, Js Opdebeeck <[email protected]> wrote:
> > Dec 28 06:54:36 1.1.1.1 MSWinEventLog;1;Security;23875316;Tue: Dec 28 > 06:54:34 2010;680;Security;DOMAINUSER;User;Success > Audit;ADSERVER;Account Logon;;Logon attempt by: > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: DOMAINUSER > Source Workstation: DOMAINSTATION Error Code: 0x0 ; > 23866818 > > The field separator that SNARE is using is ";". The OSSEC decoder expects it to be a tab character. There should be some setting in SNARE that will allow you to change it to the tab character. Regards, Chris
