Thanks for all your help. My problems boils down to lack of experience. I got the decoder working by doing the below. Now on to the rules.
<decoder name="windows_rdp"> <type>windows</type> <parent>windows</parent> <prematch>Logon Type:\s+10</prematch> <regex offset="after_prematch">Account Name:\s+(\S+)\s+Account Domain:\s+(\S+) \.+Workstation Name:\s+(\S+)\s+Source Network Address:\s+(\S+)</regex> <order>srcuser, extra_data, dstuser, srcip</order> </decoder> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
