So to match a new line I need to use \\n? How do I populate those builtin vars in the regex? Thanks
On Tuesday, August 19, 2014 11:57:08 AM UTC-4, dan (ddpbsd) wrote: > > On Tue, Aug 19, 2014 at 11:45 AM, Brian Kellogg <[email protected] > <javascript:>> wrote: > > I'm new to OSSEC so no doubt I'm missing alot. The below decoder is > causing > > OSSEC to fail on start. I placed this decoder in the local_decoder.xml > file > > in ./etc directory of the OSSEC installation. Not sure what I am > getting > > wrong. > > > > <decoder name="RDP"> > > <type>windows</type> > > <prematch>^WinEvtLog</prematch> > > <regex offset="after_prematch">^Remote Desktop Services: User > > authentication succeeded:</regex> > > <regex>\nUser: \S+\nDomain: \S+\nSource Network Address: \S+</regex> > > I suspect this isn't what you're trying to do, but to match the string > "\n" you need to escape the backslash. Try "\\n" to match "\n." > > > <order>user, location, srcip</order> > > It doesn't look like you can use "location" here. I'm not sure how > much these matter though, you aren't populating them in the regex. > > > </decoder> > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
