Hello!
I'm writing decoder/rule for Win2012 Network Policy Server (NPS) events.
NPS log is a CSV-file.
I'm interested in request events and reject events. Reject events may vary
depending of RADIUS-clients (network devices).
But I've got strange behavior when using ossec-logtest: parent decoder with
prematch works well. If event matches to child decoder next to parent
everything is ok I get an event. If event matches second child decoder I
don't get event. If I swap decoders and use same event as in previous case
I get event too.
Could somebody explain the reason of it? Cheers.
My decoders tree:
<decoder name="nps-win2012">
<prematch>^"\w+","IAS",\d\d/\d\d/\d\d\d\d,\d\d:\d\d:\d\d,</prematch>
</decoder>
<decoder name="nps-win2012-request-sg500">
<parent>nps-win2012</parent>
<regex
offset="after_parent">^1,"\.*","(\.*)",,,,,,\.*,,\d+,"(\d+.\d+.\d+.\d+)"</regex>
<order>user,dstip</order>
</decoder>
<decoder name="nps-win2012-request">
<parent>nps-win2012</parent>
<regex
offset="after_parent">^1,"\.*","(\.*)",,\.*(\d+.\d+.\d+.\d+)\.*,,,\.*,\.*,\.*,\d+,"(\d+.\d+.\d+.\d+)"</regex>
<order>user,srcip,dstip</order>
</decoder>
<decoder name="nps-win2012-reject">
<parent>nps-win2012</parent>
<regex
offset="after_parent">^3,,"(\.*)",,,,,,,,\d+,"(\d+.\d+.\d+.\d+)"</regex>
<order>user,dstip</order>
</decoder>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
