Hello, I've those kind of log comming from a custom app
> > [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 > [] [] I'm trying to block an ip with to much authentication failure. So I did a custom decoder which is working ; <decoder name="app.ERROR"> <prematch>^\p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p </prematch> </decoder> <decoder name="app.ERROR-verify-login"> <parent>app.ERROR</parent> <regex offset="after_parent">^app.ERROR: \.+ (\S+) for IP: (\S+) (\.+)\s(\.+)$</regex> <order>status,srcip,extra_data,extra_data</order> </decoder> and I want theses rules working with this log . <rule id="100201" level="1"> <decoded_as>app.ERROR</decoded_as> <description>Multiple login attempts customapp</description> </rule> <rule id="100202" level="7" frequency="10" timeframe="60"> <if_matched_sid>100201</if_matched_sid> <same_source_ip /> <description>Multiple login attempts customapp</description> <group>authentication_failures,</group> </rule> But this what I get when testing with */var/ossec/bin/ossec-logtest* [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 [] [] **Phase 1: Completed pre-decoding. full event: '[2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 [] []' hostname: 'Digital-Ocean-1' program_name: '(null)' log: '[2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 [] []' **Phase 2: Completed decoding. decoder: 'app.ERROR' status: 'failure' srcip: '172.17.0.1' extra_data: '[]' extra_data: '[]' **Phase 3: Completed filtering (rules). Rule id: '2501' Level: '5' Description: 'User authentication failure.' **Alert to be generated. why are my rules not working over the 2501 one ? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.