I think you can try \p On 5 Sep 2014 21:53, "Brian Kellogg" <[email protected]> wrote:
> This is the decoder I'm trying to use. Trying to capture the user and the >> first IP address. >> >> <decoder name="pix_anyconnect_logon"> >> <parent>pix</parent> >> <regex offset="after_parent">4-722051:\.+User (\S+)</regex> >> <order>user</order> >> </decoder> >> > > >> I've tried getting rid of the "\.+User" and just leave the (\S+) after >> the ":". That didn't return anything. >> > > The only decoders it is hitting are the parent pix and the generic pix as > it is getting the id of the log. I have decoders working on other pix logs > that do not contain <>. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
