Hello All, I have a local decoder that extracts fields correctly at phase 2 of the logtest from v2.6 that returns "No decoder matched" at phase 2 of the logtest from v2.7. My decoder and log line follow. <decoder name="conn"> <program_name="conn"</program_name> </decoder> <decoder name="e-conn"> <parent>conn</parent> <regex offset="after_parent">connection (\d+)</regex> <order>srcip</order> </decoder> Jan 12 12:12:12 hostname conn: connection 10
I also noticed that the custom decoder and ForecField log entries here <http://www.ossec.net/doc/manual/rules-decoders/create-custom.html> are not properly extracted at phase 2 of the logtest in v2.7. Has anyone else had difficulties with local decoders between v2.6 and v2.7? -AK --
