No, you need to match on something in the log message. You're still pulling out meta-data.
Run ossec-logtest and paste that log message into it. On Thu, Sep 29, 2011 at 3:07 PM, spinman <[email protected]> wrote: > So are you suggesting that my match should beĀ <match>syslog-ng</match>
