I've tested my decoders and now I'm trying to place them all in the local_decoder.xml file. When I do this only the one listed first fires. What am I misunderstanding? Logtest will work but only for the one listed first in the file. thanks
<decoder name="pix_anyconnect_logon"> <parent>pix</parent> <type>firewall</type> <prematch offset="after_parent">^4-722051:</prematch> <regex offset="after_prematch">User\s+\p(\S+)\p\s+IP\s+\p(\d+.\d+.\d+.\d+)\p</regex> <order>user, srcip</order> </decoder> <decoder name="pix_vpn_fails"> <parent>pix</parent> <type>firewall</type> <prematch offset="after_parent">^3-713167:</prematch> <regex offset="after_prematch">Username\s+=\s+(\S+),\.+IP\s+=\s+(\S+),</regex> <order>user, srcip</order> </decoder> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
