On Thu, Aug 28, 2014 at 12:24 PM, Brian Kellogg <[email protected]> wrote: >> Trying to make the decoder match on "Logon Type: 10" and it fails. If I >> remove that regex matching this the decoder works, but that type is what I >> want to key on. What am I not understanding. Not seeing any problems with >> the regex I have. > > > <decoder name="windows_rdp"> > <type>windows</type> > <parent>windows</parent> > <prematch offset="after_parent">4624</prematch> > <regex offset="after_prematch">Logon Type:\s+10</regex> > <regex>\.+:\.+:\s+(\S+):\s+(\S+):\s+(\S+):</regex>
I don't know exactly what you're trying to pull out of the log message, so this kinda works for stuff that looked interesting to me (as ignorant as I am with Windows logs). <decoder name="windows_rdp"> <type>windows</type> <parent>windows</parent> <!--<prematch offset="after_parent">4624</prematch>--> <prematch offset="after_parent">Logon Type:\s+10</prematch> <regex>Logon Type:\s+10\.+Account Name:\s+(\S+)\s+Account Domain:\s+(\S+)\s+\.+Source Network Address:\s+(\S+)</regex> <!--\s+Source Network Address:\s+(\S+)</regex>--> <order>srcuser, extra_data,srcip</order> </decoder> > <order>srcuser, extra_data, dstuser</order> > </decoder> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
