Hi All,
Gone through a few threads about decoders for IIS. I'm just getting started and, so far, have only managed easy stuff. I'm trying to extract the fields mentioned in decoder from the log entry using the decoder below, but the logtester still give the result below. What am I missing this time :) FULL LOG ENTRY: 2016-02-02 08:45:31 10.32.10.14 GET /images/logo2.png - 80 - 10.32.5.145 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0) 200 0 0 15 LOGTEST RESULTS: **Phase 1: Completed pre-decoding. full event: '2016-02-02 08:45:31 10.46.10.101 GET /images/logo2.png - 80 - 10.46.5.145 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0) 200 0 0 15' hostname: 'sto-lab99' program_name: '(null)' log: '2016-02-02 08:45:31 10.46.10.101 GET /images/logo2.png - 80 - 10.46.5.145 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0) 200 0 0 15' **Phase 2: Completed decoding. decoder: 'windows-date-format' DECODER: <decoder name="web-accesslog-iis"> <parent>windows-date-format</parent> <type>web-log</type> <use_own_name>true</use_own_name> <regex offset="after_parent">^\d+-\d+-\d+ \d+:\d+:\d+ (\S+) (\S+) - (\S+) - (\d+.\d+.\d+.\d+) </regex> <order>srcip, action, url, srcip, dstport</order> </decoder> Best, Fredrik -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.