Re: [ossec-list] decoder prematch (regex) issue

correct, I think that it is. On Wed, Jan 27, 2016 at 11:06 PM, Fredrik wrote: > Hi Santiago! > > > Thanks for your input. As you pointed out the \D+ is out of place and I > couldn't figure out why that would match whereas the latter regex, that I > believed to be more

Re: [ossec-list] decoder prematch (regex) issue

Agree with Dan, also double check the regexes, as it looks like there are some inconsistencies at the end. I don't think that \D+ is in the right place. Best On Wed, Jan 27, 2016 at 7:08 AM, dan (ddp) wrote: > > On Jan 27, 2016 10:06 AM, "Fredrik"

Re: [ossec-list] decoder prematch (regex) issue

Thanks Dan! I obviously didn't realize that this was the case :( This means that I should create a regex that take the missing entry part into account and hence matches: Jan 27 9:32:28 st4600fw01n1 not the full string I was aiming for? This would then explain the, from my point of view,

Re: [ossec-list] decoder prematch (regex) issue

Hi Santiago! Thanks for your input. As you pointed out the \D+ is out of place and I couldn't figure out why that would match whereas the latter regex, that I believed to be more complete, wouldn't. With input from Dan and yourself, I realize that OSSEC is offering a helping hand in stripping

[ossec-list] decoder prematch (regex) issue

HI All, Been working on a regex to match highlighted part of the (event) string below: *Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 *allow http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: Application Control; service: http; s_port: 58579; product_family: Network; ...