Hi all, I am resending this message since I had initially sent it to the [email protected]' address and am not sure if it reached this list.
Pranav -----Original Message----- From: Pranav Lal [mailto:[email protected]] Sent: Monday, October 14, 2013 10:20 AM To: '[email protected]' Subject: Seeking help with creating a custom decoder: unable to trigger child decoder to extract data Hi all, I am trying to generate an alert when the administrator logs in to my mikrotik router. The login events are below. 05:18:18 system,info,account user admin logged in from 192.168.88.254 via ssh 19:00:16 system,info,account user admin logged in from 192.168.88.254 via ssh I have the following definitions in my local_decoder.xml file. <decoder name="mikrotiklogin"> <prematch>^\d\d:\d\d:\d\d\s\w+,\w+,\w+\w\s</prematch> </decoder> <decoder name="Mikrotikloginalert"> <parent>mikrotiklogin</parent> <regex offset="after_parent">user:(user+\s\w+\w+\w+\w)IP:(\w+\s\d\d\d+.\d\d\d+.\d\d +.\d\d\d)+(\s+.*)</regex> <order>user,srcip,extra_data</order> </decoder> The child alert named mikrotikloginalert is not firing. What am I missing? Pranav -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
