On Mon, Feb 27, 2017 at 2:50 PM, Jahchan, Georges J. <gjahc...@compucenter.org> wrote: > That is not what I meant. > > If the source IP is decoded and stored in field srcip, I want to be able to > specify _srcip_ (or whatever convention used to tell regex that this is a > variable), and have _srcip_ replaced by the value saved as srcip in the > event. > > If srcip is 10.0.0.1, specifying in the regex > <regex>Some-regex-preceding-_srcip_-some regex tailing</regex> _srcip_ in > the regex would be dynamically replaced by its value (10.0.0.1) during regex > evaluation. >
There's no support for that. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.