i have also tested the following decoder :
<*decoder *name="fakeinc_custom">
<*prematch*>^Fakeinc: </*prematch*> <==== without "\.+"
<*regex *offset="after_prematch">^service for: (\w+)@(\S+) \w+</*regex*>
<*order*>srcuser,srcip</*order*>
</*decoder*
and here is the result:
--------------------------------------------------------------------------------
**Phase 1: Completed pre-decoding.
full event: 'Mar 26 10:56:36 small-VirtualBox small: Fakeinc:
service for: [email protected] Failed'
hostname: 'small-VirtualBox'
program_name: 'small'
log: 'Fakeinc: service for: [email protected] Failed'
**Phase 2: Completed decoding.
No decoder matched.
--------------------------------------------------------------------------------
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
