I am trying to write a decoder than can decode this line: Sep 6 09:24:35 webapps bash[22227]: . root : whoami
Here is what I have for decoders: <decoder name="basht"> <program_name>^bash</program_name> </decoder> <decoder name="basht-command"> <parent>basht</parent> <prematch>^. </prematch> <regex offset="after_prematch">\w+ : \.+$</regex> <order>user,extra_data</order> </decoder> The *basht* decoder is being found and running, but I don't get any output with *user* or *extra_data* when I run *ossec-logtest*. What am I messing up in my regex?
