I have two decoders in my local_decoder.xml file. With ossec-logtest I can only ever get the first one to fire. If I change the order then only the first one will fire again. What am I misunderstanding? thanks
<decoder name="pix_vpn_fails"> <parent>pix</parent> <type>firewall</type> <prematch offset="after_parent">^3-713167:</prematch> <regex offset="after_prematch">Username\s+=\s+(\S+),\.+IP\s+=\s+(\S+),</regex> <order>user, srcip</order> </decoder> <decoder name="pix_anyconnect_logon"> <parent>pix</parent> <type>firewall</type> <prematch offset="after_parent">^4-722051:</prematch> <regex offset="after_prematch">User\s+\p(\S+)\p\s+IP\s+\p(\d+.\d+.\d+.\d+)\p</regex> <order>user, srcip</order> </decoder> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
