What am I missing - it just keeps firing on the windows-date-format -- so frustrating, it must be simple, I am just blind today:
Logentry: 2012-01-12 15:19:58 Package: attack.vector: removing(string1,string2,string3) by administrator decoder: <decoder name="fw-private"> <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d </prematch> </decoder> <decoder name="fw-private-alert"> <parent>fw-private</parent> <regex offset="after_parent">^Package: (\.+):\.+</regex> <order>data</order> </decoder> And I want to store the "attack.vector" in 'data', but it just keeps triggering: **Phase 1: Completed pre-decoding. full event: '2012-01-12 15:19:58 Package: attack.vector: removing(string1,string2,string3) by administrator' hostname: 'ossex' program_name: '(null)' log: '2012-01-12 15:19:58 Package: attack.vector: removing(string1,string2,string3) by administrator' **Phase 2: Completed decoding. decoder: 'windows-date-format' **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '0' Description: 'Unknown problem somewhere in the system.'