Santiago, Thank you for your insight, I really appreciate it.
I see your discovery. I'm new to understanding the regex used, but I'm a quick study. After the parent decoder is matched, shouldn't apache24-errorlog-ip be able to jump ahead to the section starting with [client - not sure how the pid effects this? Obviously it does, I just don't get why. Are you suggesting I recraft how the ModSecurity error reads? Or do you have an idea for a regex change? Brian > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
