Hello, I added a new decoder for named because one of my transfert zone log doesn't extract ip address. And I need ip address for a rule.
I think decoder called "named_client" match with this kind of log: Aug 31 10:22:14 testsrv named[7582]: client 192.168.10.2#36877: transfer of '18.192.in-test.com/IN': AXFR started But I have an other kind of log like this: Aug 31 15:45:02 testsrv named[7582]: transfer of 'domain.test.com/IN' from 192.168.10.2#53: Transfer completed: 6 messages, 6 records, 10 bytes, 0.17 secs (75 bytes/sec) So I added this decoder: <decoder name="named_transfer"> <parent>named</parent> <prematch>^transfer </prematch> <regex offset="after_prematch">^of (\S+) from (\d+.\d+.\d+.\d+)#</ regex> <order>id, srcip</order> </decoder> Maybe some of you are interested on this decoder or by the log line? AB
