On Tue, Aug 19, 2014 at 11:45 AM, Brian Kellogg <[email protected]> wrote: > I'm new to OSSEC so no doubt I'm missing alot. The below decoder is causing > OSSEC to fail on start. I placed this decoder in the local_decoder.xml file > in ./etc directory of the OSSEC installation. Not sure what I am getting > wrong. > > <decoder name="RDP"> > <type>windows</type> > <prematch>^WinEvtLog</prematch> > <regex offset="after_prematch">^Remote Desktop Services: User > authentication succeeded:</regex> > <regex>\nUser: \S+\nDomain: \S+\nSource Network Address: \S+</regex>
I suspect this isn't what you're trying to do, but to match the string "\n" you need to escape the backslash. Try "\\n" to match "\n." > <order>user, location, srcip</order> It doesn't look like you can use "location" here. I'm not sure how much these matter though, you aren't populating them in the regex. > </decoder> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
