No effect. I tried dstip too, but I don't think either of those tags contain data due to the decoder used?
<decoder name="windows"> <type>windows</type> <prematch>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog: </prematch> <regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): </regex> <regex>(\.+): \.+: (\S+): </regex> <order>status, id, extra_data, user, system_name</order> <fts>name, location, user, system_name</fts> </decoder> This means the only tags that contain data is status, id, extra_data, user, and system_name, right? Is there a way to dump the data that my rule would have processed? Is the decoder stripping what I'm trying to search for? On Monday, July 3, 2017 at 5:43:39 AM UTC-7, Fredrik Hilmersson wrote: > > What happens if you change <match> using <srcip>192.168.1.255</srcip>? > >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.