Try a decoder with English <regex> first, for example, MICROSOFT_ AUTHENTICATION_PACKAGE_V1. After you get it working, then add new thing one at a time.
On Monday, January 21, 2013 10:36:27 PM UTC-8, root wrote: > > hi,all > > i write decoder like this > > > <decoder name="Security-Auditing-failure"> > <program_name>Security-Auditing-failure</program_name> > <regex>(计算机试图验证帐户的凭据)</regex> > <order>srcip</order> > </decoder> > > > > but when i test log this > > Jan 22 11:49:13 QAD2008PDC Security-Auditing: 4776: 计算机试图验证帐户的凭据。 验证包: > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 登录帐户: huihui.hou 源工作站: QS-HOUHUIHUI > 错误代码: 0x0 > > > > that can not match this log! > > > > **Phase 1: Completed pre-decoding. > > full event: 'Jan 22 11:49:13 QAD2008PDC Security-Auditing: 4776: > 计算机试图验证帐户的凭据。 验证包: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 登录帐户: huihui.hou > 源工作站: QS-HOUHUIHUI 错误代码: 0x0' > hostname: 'QAD2008PDC' > program_name: 'Security-Auditing' > > log: '4776: 计算机试图验证帐户的凭据。 验证包: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 > 登录帐户: huihui.hou 源工作站: QS-HOUHUIHUI 错误代码: 0x0' > > **Phase 2: Completed decoding. > No decoder matched. > > > thanks&Best > Regards > > > >