> > This is the decoder I'm trying to use. Trying to capture the user and the > first IP address. > > <decoder name="pix_anyconnect_logon"> > <parent>pix</parent> > <regex offset="after_parent">4-722051:\.+User (\S+)</regex> > <order>user</order> > </decoder> >
> I've tried getting rid of the "\.+User" and just leave the (\S+) after the > ":". That didn't return anything. > The only decoders it is hitting are the parent pix and the generic pix as it is getting the id of the log. I have decoders working on other pix logs that do not contain <>. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
