On Fri, Feb 17, 2017 at 6:04 AM, Casimiro <hfbar...@gmail.com> wrote: > I'm trying to override the windows decoder to extract more fields (in > local_decoder.xml), like source ip, destination ip, source port, > > This is my local decoder for windows > > <decoder name="windows-audit"> > <parent>windows</parent> > <prematch>AUDIT_FAILURE(51512)</prematch> > <regex offset="after_parent">Source Address:\s+(\d+.\d+.\d+.\d+)</regex> > <order>srcip</order> > </decoder> > > When I put new decoder en local_decoder.xml. The windows log don't match > with windows parent decoder. If I take off the local decoder then log match > with windows parent decoder. > > I want to get all fields: parent fields + soon fields (in this case status, > id, extra_data, srcuser, system_name and srcip) > > Thanks in advanced >
Log samples would help. What version of OSSEC? I think that MASTER has updated Windows decoders that might make things easier. > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
