I get the following when I run logtest.
**Phase 2: Completed decoding.
No decoder matched.
On Wednesday, November 7, 2018 at 1:42:45 PM UTC-5, Chad Harbin wrote:
>
> Guys,
>
> I really need your help. I am new to this and not getting very far. Our
> developer created a custom ASP . Net application that logs to the
> Application event logs when a user Successfully or Fails to login to the
> app.
>
> Here is what I am working with. Not sure how to make this work.
>
> 2018 Nov 02 17:52:42 (example.com) 10.0.10.120->WinEvtLog 2018 Nov 02
> 13:52:39 WinEvtLog: Application: INFORMATION(10): Extranet.WebApplication:
> (no user):
> no domain: example.com: 2018-11-02 13:52:39,622 [25] INFO GeneralLogger
> [(null)] - Successful login for: [email protected]
>
> <decoder name="extranet">
> <prematch>10.0.10.120</prematch>
> </decoder>
>
> <decoder name="extranet-auth">
> <parent>extranet</parent>
> <prematch offset="after_parent">^- </prematch>
> <regex offset="after_parent">^(\S+) login for: (\S+)</regex>
> <order>status, extra_data</order>
> </decoder>
>
> Here is what I get from the logtest.
>
> **Phase 1: Completed pre-decoding.
> full event: '10.0.10.120->WinEvtLog 2018 Nov 07 13:00:42 WinEvtLog:
> Application: INFORMATION(10): EXTRANET: (no user): no domain: example.com:
> 2018-11-07 13:00:42,209 [36] INFO GeneralLogger [(null)] - Successful
> login for: [email protected]'
> timestamp: '(null)'
> hostname: 'ip-10-0-10-15'
> program_name: '(null)'
> log: '10.0.10.120->WinEvtLog 2018 Nov 07 13:00:42 WinEvtLog:
> Application: INFORMATION(10): EXTRANET: (no user): no domain: example.com:
> 2018-11-07 13:00:42,209 [36] INFO GeneralLogger [(null)] - Successful
> login for: [email protected]'
>
> **Phase 2: Completed decoding.
> decoder: 'otpextranet'
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
