On Apr 4, 2015 9:04 PM, <[email protected]> wrote: > > i have also tested the following decoder : > > <decoder name="fakeinc_custom"> > <prematch>^Fakeinc: </prematch> <==== without "\.+" > > <regex offset="after_prematch">^service for: (\w+)@(\S+) \w+</regex> > <order>srcuser,srcip</order> > </decoder >
Well then it's time to start small. Remove the regex and order. Does it work? If so, add a small bit to the regex and try again. Keep doing that till you get everything you need. > and here is the result: > -------------------------------------------------------------------------------- > > **Phase 1: Completed pre-decoding. > full event: 'Mar 26 10:56:36 small-VirtualBox small: Fakeinc: service for: [email protected] Failed' > hostname: 'small-VirtualBox' > program_name: 'small' > log: 'Fakeinc: service for: [email protected] Failed' > > **Phase 2: Completed decoding. > No decoder matched. > -------------------------------------------------------------------------------- > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
