hi,all
i write decoder like this
<decoder name="Security-Auditing-failure">
<program_name>Security-Auditing-failure</program_name>
<regex>(计算机试图验证帐户的凭据)</regex>
<order>srcip</order>
</decoder>
but when i test log this
Jan 22 11:49:13 QAD2008PDC Security-Auditing: 4776: 计算机试图验证帐户的凭据。 验证包:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 登录帐户: huihui.hou 源工作站: QS-HOUHUIHUI 错误代码:
0x0
that can not match this log!
**Phase 1: Completed pre-decoding.
full event: 'Jan 22 11:49:13 QAD2008PDC Security-Auditing: 4776:
计算机试图验证帐户的凭据。 验证包: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 登录帐户: huihui.hou 源工作站:
QS-HOUHUIHUI 错误代码: 0x0'
hostname: 'QAD2008PDC'
program_name: 'Security-Auditing'
log: '4776: 计算机试图验证帐户的凭据。 验证包: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
登录帐户: huihui.hou 源工作站: QS-HOUHUIHUI 错误代码: 0x0'
**Phase 2: Completed decoding.
No decoder matched.
thanks&Best Regards
