On Fri, 15 Apr 2016, Fredrik wrote:
Thanks for getting back to me. Again :) :) I'm trying out your enhancement to the first decoder and trying to combine it with child-decoders from our previous posts. I currently have this (which obviously doesn't work), but how do I best create the parent-child tree to handle the slight variations in messages? One per action (e.g. block, prevent) and where needed use two child-decoders with same name to capture all field of interest - as you have instructed previously (i.e. one for fields action,srcip,dstip , the second for url, extra_data fields?
<decoder name="Checkpoint-block-allow"> <parent>Checkpoint-test</parent> <regex>(\w+) \S+ \S+ src: (\d+.\d+.\d+.\d+); dst: (\d+.\d+.\d+.\d+)</regex> <order>action,srcip,dstip</order> </decoder>
If you plan on detecting IPv6 activity on your network you may want to change \d+.\d+.\d+.\d+ to \S+
Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com