On Wed, Feb 1, 2012 at 2:49 PM, Kat <[email protected]> wrote: > What am I missing - it just keeps firing on the windows-date-format -- > so frustrating, it must be simple, I am just blind today: >
Either put it before the windows-date-format decoder or make it a child of that decoder. > Logentry: > > 2012-01-12 15:19:58 Package: attack.vector: > removing(string1,string2,string3) by administrator > > decoder: > > <decoder name="fw-private"> > <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d </prematch> > </decoder> > > <decoder name="fw-private-alert"> > <parent>fw-private</parent> > <regex offset="after_parent">^Package: (\.+):\.+</regex> > <order>data</order> > </decoder> > > And I want to store the "attack.vector" in 'data', but it just keeps > triggering: > > **Phase 1: Completed pre-decoding. > full event: '2012-01-12 15:19:58 Package: attack.vector: > removing(string1,string2,string3) by administrator' > hostname: 'ossex' > program_name: '(null)' > log: '2012-01-12 15:19:58 Package: attack.vector: > removing(string1,string2,string3) by administrator' > > **Phase 2: Completed decoding. > decoder: 'windows-date-format' > > **Phase 3: Completed filtering (rules). > Rule id: '1002' > Level: '0' > Description: 'Unknown problem somewhere in the system.'
