I knew I may be misunderstanding something. I though ossec-logtest showed the last decoder used on the event. I had <order> in there to fill in data and that was not being shown by ossec-logtest. I'll try again and see if I just screwed up my regex somehow. Shouldn't I see an alert 12 with the generated by the rule though with the description of "RDP Windows Logon"?
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
