On Mon, Jul 3, 2017 at 11:28 AM, Ian Brown <[email protected]> wrote: > I believe I've figured it out -- I think the decoder isn't matching the full > log string and is thus stripping the ip address information. Also after > looking at the regex in the decoder, I've discovered that it doesn't even > match against the first three example strings provided: > > Here's an example from the comments (After prematch): > Security: AUDIT_FAILURE(0x000002A9): Security: SYSTEM: NT AUTHORITY: The > logon to account: xyz by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from > workstation: la failed. The error code was: 3221225572 > > yet, the regex is: > ^\.+: (\w+)\((\d+)\): (\.+): > > The second (\d+) will only match against numbers, so (0x000002A9) will never > match. It should be ([0-9A-Fx]+)
I don't think this does what you want it to. But dealing with the hex might be an issue we'll have to look into. > > Also, why is it escaping the period at the beginning and at the end? > shouldn't the regex be: > ^.+: (\w+)\((\d+)\): (.+): > Not if you want to match any character, that should only match '.'. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
