> > Trying to make the decoder match on "Logon Type: 10" and it fails. If I > remove that regex matching this the decoder works, but that type is what I > want to key on. What am I not understanding. Not seeing any problems with > the regex I have.
<decoder name="windows_rdp"> <type>windows</type> <parent>windows</parent> <prematch offset="after_parent">4624</prematch> <regex offset="after_prematch">Logon Type:\s+10</regex> <regex>\.+:\.+:\s+(\S+):\s+(\S+):\s+(\S+):</regex> <order>srcuser, extra_data, dstuser</order> </decoder> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
