Actually I'm going to try to just flip/flop the fields. Using logtest on some of the events seems to show good results. If it works good, then we should change the default decoder next release.
On Monday, April 9, 2012 8:50:57 AM UTC-7, BP9906 wrote: > > Hi Dan, > I used your custom windows-sub1 filter to properly decode usernames for > all the various contexts of windows event logs. It works great, however, I > end up with 2 username fields (ie srcuser and dstuser). OSSEC treats > srcuser as username and thus I dont see a way to include the dstuser to see > the top entries for dstuser. Is there a way to include this currently? If > not, I'll post a request on the bug tracking site. > > Thanks! > >
