I haven't tested anything on an installation, so I don't know if this is the cause of your issue or not, but your regex looks overly complex. Have you tried reducing the number of captured fields?
-Anthony On Fri, Mar 22, 2013 at 2:29 PM, Chris Decker <[email protected]> wrote: > All, > > I'm trying to decode a log that is tab-delimited. When I paste my sample > log into logtest I'm seeing what appears to be a limitation in the number of > fields that can be extracted - notice how the field that should have went > into 'extra_data' actually went into 'dstuser'. > > Did I discover a bug, a known limitation, or is there something I am doing > incorrectly? > > <decoder name="log"> > <prematch>\d*\t</prematch> > > <regex>\d*\t(\w+)\t(\d*.\d*.\d*.\d*)\t(\d*)\t(\d*.\d*.\d*.\d*)\t(\d*)\t\.*\t(\w*)\t(\.*)\t(\.*)\t(\.*)\t</regex> > > <order>id,srcip,srcport,dstip,dstport,action,url,extra_data,extra_data,status,user</order> > </decoder> > > log: '1363971591.501387 dQ8eQftYbig 1.2.3.4 34483 1.2.3.4 80 1 GET > somewebsite.com/blah https://www.google.com/ SomeBrowser 0 10837 200 OK - - > 1.pdf application/pdf' > > **Phase 2: Completed decoding. > decoder: 'bro_http_log2' > id: 'dQ8eQftYbig' > srcip: '1.2.3.4' > srcport: '34483' > dstip: '1.2.3.4' > dstport: '80' > action: 'GET' > url: 'somewebsite.com/blah' > dstuser: 'https://www.google.com/' > > > > > Thanks, > Chris > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
