On Mon, Feb 27, 2017 at 2:50 PM, Jahchan, Georges J.
<gjahc...@compucenter.org> wrote:
> That is not what I meant.
>
> If the source IP is decoded and stored in field srcip, I want to be able to
> specify _srcip_ (or whatever convention used to tell regex that this is a
> variable), and have _srcip_ replaced by the value saved as srcip in the
> event.
>
> If srcip is 10.0.0.1, specifying in the regex
> <regex>Some-regex-preceding-_srcip_-some regex tailing</regex> _srcip_ in
> the regex would be dynamically replaced by its value (10.0.0.1) during regex
> evaluation.
>

There's no support for that.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to