I actually have more fields I want to pull out, but this "bug" is preventing me from doing so. Has anyone else run into this? I can always use matches in my rules, but I like the flexibility of normalizing and writing rules that way.
Sent from my iPhone On Mar 22, 2013, at 4:05 PM, anthony kasza <anthony.ka...@gmail.com> wrote: > I haven't tested anything on an installation, so I don't know if this > is the cause of your issue or not, but your regex looks overly > complex. > Have you tried reducing the number of captured fields? > > -Anthony > > On Fri, Mar 22, 2013 at 2:29 PM, Chris Decker <ch...@chris-decker.com> wrote: >> All, >> >> I'm trying to decode a log that is tab-delimited. When I paste my sample >> log into logtest I'm seeing what appears to be a limitation in the number of >> fields that can be extracted - notice how the field that should have went >> into 'extra_data' actually went into 'dstuser'. >> >> Did I discover a bug, a known limitation, or is there something I am doing >> incorrectly? >> >> <decoder name="log"> >> <prematch>\d*\t</prematch> >> >> <regex>\d*\t(\w+)\t(\d*.\d*.\d*.\d*)\t(\d*)\t(\d*.\d*.\d*.\d*)\t(\d*)\t\.*\t(\w*)\t(\.*)\t(\.*)\t(\.*)\t</regex> >> >> <order>id,srcip,srcport,dstip,dstport,action,url,extra_data,extra_data,status,user</order> >> </decoder> >> >> log: '1363971591.501387 dQ8eQftYbig 1.2.3.4 34483 1.2.3.4 80 1 GET >> somewebsite.com/blah https://www.google.com/ SomeBrowser 0 10837 200 OK - - >> 1.pdf application/pdf' >> >> **Phase 2: Completed decoding. >> decoder: 'bro_http_log2' >> id: 'dQ8eQftYbig' >> srcip: '1.2.3.4' >> srcport: '34483' >> dstip: '1.2.3.4' >> dstport: '80' >> action: 'GET' >> url: 'somewebsite.com/blah' >> dstuser: 'https://www.google.com/' >> >> >> >> >> Thanks, >> Chris >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
