Correct me if I'm wrong, but I don't believe you need to setup the match
statements for the date and hostname. I think that should just become..
decoder name=swg1
prematch^M86 SWG Web Event/prematch
regex offset=after_prematch - Action: (\w+);/regex
orderaction/order
/decoder
--Josh
Hi,
Has anyone added the Kerberos 5 krb5kdc.log logfile to OSSEC and if so is
willing to share its decoder and local_rules.xml config? (i am not trying
to reinvent the wheel here and google has nothing on it expect Vic
Hargrave's blog but I can not post on it because of technical issues at
Hi Josh,
I tried that too but when I test with the whole syslog event that comes in (in
my original message) it never decodes it. I'll triple check that the syslog
event from the SWG is in fact what I'm testing against.
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On