Try with this: \d+-\d+-\d+\w\d+:\d+:\d+\+\d+:\d+ CRIT Not valid template file\:
Best regards woodspeed Sorry woodspeed but your regex did not do the trick. I think you can not write \+ because it gives configuration error. Hi Daniel, I am trying to decode this log: 2011-12-28T08:30:59+00:00 CRIT Not valid template file:frontend/base/ default/template/exacttarget/top_sub.phtml but i am unsuccessful. I will send email when 2011-12-28T08:30:59+00:00 CRIT is detected couple of times in short period of time. But with logtest and my regex i am unable to decode this log entry. My guess is that ossec can not decode 2011-12-28T08:30:59+00:00 format and i am successful with this format 2011-12-28 08:30:59+00:00. so this regex works: ^\d+-\d+-\d+\s\d+:\d+:\d+\p\d+:\d+\sCRIT and this does not: ^\d+-\d+-\d+\w\d+:\d+:\d+\p\d+:\d+\sCRIT Again thank you all for quick response, Gojko Paunovic
