I understand why rule 1002 matches, I just didn't understand why it was applied to that log line in the first place. But if all decoders are applied to all log files, I guess that explains why. But it seems a very inefficient design. When one designates the access_log to be watched, one should be able to assign/limit what decoders are applied.
My regex does have regex in it. It is the five "."s to match any character I changed it to <match>HTTP/1.0" 200 </match> and this seems to work, but I don't understand why my <regex> did not work. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
