I started with this but no succes so far.
<decoder name="test">
<prematch>$BAD WORDS: </prematch>
</decoder>
<decoder name="syslog">
<parent>test</parent>
<prematch offset="after_parent">ERROR</prematch>
<regex offset="after_parent">(\S+)</regex>
<order>extra_data</order>
</decoder>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
