I get a match with the following decoder but nothing afterwards This works <decoder name="extranet"> <prematch>10.0.10.120</prematch> </decoder>
But this doesn't <decoder name="extranet-auth"> <parent>extranet</parent> <prematch offset="after_parent">^- </prematch> <regex offset="after_parent">^(\S+) login for: (\S+)</regex> <order>status, extra_data</order> </decoder> On Wednesday, November 7, 2018 at 1:42:45 PM UTC-5, Chad Harbin wrote: > > Guys, > > I really need your help. I am new to this and not getting very far. Our > developer created a custom ASP . Net application that logs to the > Application event logs when a user Successfully or Fails to login to the > app. > > Here is what I am working with. Not sure how to make this work. > > 2018 Nov 02 17:52:42 (example.com) 10.0.10.120->WinEvtLog 2018 Nov 02 > 13:52:39 WinEvtLog: Application: INFORMATION(10): Extranet.WebApplication: > (no user): > no domain: example.com: 2018-11-02 13:52:39,622 [25] INFO GeneralLogger > [(null)] - Successful login for: [email protected] > > <decoder name="extranet"> > <prematch>10.0.10.120</prematch> > </decoder> > > <decoder name="extranet-auth"> > <parent>extranet</parent> > <prematch offset="after_parent">^- </prematch> > <regex offset="after_parent">^(\S+) login for: (\S+)</regex> > <order>status, extra_data</order> > </decoder> > > Here is what I get from the logtest. > > **Phase 1: Completed pre-decoding. > full event: '10.0.10.120->WinEvtLog 2018 Nov 07 13:00:42 WinEvtLog: > Application: INFORMATION(10): EXTRANET: (no user): no domain: example.com: > 2018-11-07 13:00:42,209 [36] INFO GeneralLogger [(null)] - Successful > login for: [email protected]' > timestamp: '(null)' > hostname: 'ip-10-0-10-15' > program_name: '(null)' > log: '10.0.10.120->WinEvtLog 2018 Nov 07 13:00:42 WinEvtLog: > Application: INFORMATION(10): EXTRANET: (no user): no domain: example.com: > 2018-11-07 13:00:42,209 [36] INFO GeneralLogger [(null)] - Successful > login for: [email protected]' > > **Phase 2: Completed decoding. > decoder: 'otpextranet' > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
