I'm new to OSSEC so no doubt I'm missing alot. The below decoder is causing OSSEC to fail on start. I placed this decoder in the local_decoder.xml file in ./etc directory of the OSSEC installation. Not sure what I am getting wrong.
<decoder name="RDP"> <type>windows</type> <prematch>^WinEvtLog</prematch> <regex offset="after_prematch">^Remote Desktop Services: User authentication succeeded:</regex> <regex>\nUser: \S+\nDomain: \S+\nSource Network Address: \S+</regex> <order>user, location, srcip</order> </decoder> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
