Checking on regexpal.com your \w+ is not needed as there is no match for it.
<prematch>^\w+ \d+ \d\d:\d\d:\d\d niban </prematch> Should work From: [email protected] [mailto:[email protected]] On Behalf Of Ki?n Th?c Phan Sent: Tuesday, February 03, 2015 11:11 PM To: [email protected] Subject: [ossec-list] Decoder "niban" Hi all, I have a log: May 21 10:24:54 niban useradd[6070]: new group: name=test, gid=5006 May 28 10:48:29 niban useradd[32421]: new group: name=logr, gid=12000 And my decoder: <decoder name="niban"> <prematch>^\w+ \d+ \d\d:\d\d:\d\d \w+ niban</prematch> </decoder> I use ossec-logtest debug, my result: No decoder match. What did I do wrong? Thanks in advance ThucPK -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
