Derek. At last mail I had told you that adapting the regex was problematic because what I had in my packet fence was very different from what you had described. "https://github.com/inverse-inc/packetfence/blob/devel/sbin/pfdetect#L103 Commenting out lines 103 to 131 and adding your new regex code afterward According to changelog in my system: Last commit date showed Date: Fri Jul 24 10:34:46 2015 -0400 I'm pretty sure my version is 5.3.1
So again: Where/how should I apply your suggested regex code seen below? if ( $_ =~ /^(.+?\s\d+\s\d+:\d+:\d+)\s+.+?\[\d+:(\d+):\d+\]\s+(.+?)\s+\[.+?\s+(.+ ?)\].+?\}\s+(.+?):.+?>\s(.+?):/ ) { $date = $1; $sid = $2; $descr = $3; $srcip = $5; $dstip = $6; } else { $logger->warn("unknown input: $_ "); next; } ======================================================================================================= I saw your suggestion regarding SecurityOnion however I am running Suricata from a FreeBsd platform within Jails. Security Onion doesn't offer that for me. Thanks! ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users