What am I missing - it just keeps firing on the windows-date-format --
so frustrating, it must be simple, I am just blind today:
Logentry:
2012-01-12 15:19:58 Package: attack.vector:
removing(string1,string2,string3) by administrator
decoder:
<decoder name="fw-private">
<prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d </prematch>
</decoder>
<decoder name="fw-private-alert">
<parent>fw-private</parent>
<regex offset="after_parent">^Package: (\.+):\.+</regex>
<order>data</order>
</decoder>
And I want to store the "attack.vector" in 'data', but it just keeps
triggering:
**Phase 1: Completed pre-decoding.
full event: '2012-01-12 15:19:58 Package: attack.vector:
removing(string1,string2,string3) by administrator'
hostname: 'ossex'
program_name: '(null)'
log: '2012-01-12 15:19:58 Package: attack.vector:
removing(string1,string2,string3) by administrator'
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '0'
Description: 'Unknown problem somewhere in the system.'
