Greetings Daniel: Thank you for this help, and your regular and timely help for ossec
I'm not able to change the formatting at present; we use Bastille for Linux, and I'm not sure (at present) what hacking I can get away with in that area. What would I change in the decode to support multiple spaces? <decoder name="iptables"> <program_name>^kernel</program_name> </decoder> <decoder name="iptables-1"> <parent>iptables</parent> <type>firewall</type> <prematch>^[\d+.\d+] \S+ IN=</prematch> <regex>^[\d+.\d+] (\S+) \.+ SRC=(\S+) DST=(\S+)</regex> <regex> \.+ PROTO=(\w+) </regex> <order>action,srcip,dstip,protocol</order> </decoder> <decoder name="iptables-1"> <parent>iptables</parent> <type>firewall</type> <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex> <order>srcport,dstport</order> </decoder> <decoder name="iptables-2"> <parent>iptables</parent> <type>firewall</type> <prematch>^\S+ IN=</prematch> <regex>^(\S+) \.+ SRC=(\S+) DST=(\S+) \.+ </regex> <regex>PROTO=(\w+) </regex> <order>action,srcip,dstip,protocol</order> </decoder> <decoder name="iptables-2"> <parent>iptables</parent> <type>firewall</type> <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex> <order>srcport,dstport</order> </decoder> Thank you.
