@googlegroups.com
[mailto:ossec-list@googlegroups.com] On Behalf Of Joshua Garnett
Sent: Saturday, March 01, 2014 9:13 AM
To: ossec-list@googlegroups.commailto:ossec-list@googlegroups.com
Subject: Re: [ossec-list] Decoder assistance
Correct me if I'm wrong, but I don't believe you need to setup the match
:* Nathaniel Bentzinger
*Sent:* Saturday, March 01, 2014 5:16 PM
*To:* ossec-list@googlegroups.com
*Subject:* RE: [ossec-list] Decoder assistance
Hi Josh,
I tried that too but when I test with the whole syslog event that comes in
(in my original message) it never decodes it. I'll triple
@googlegroups.com
Subject: Re: [ossec-list] Decoder assistance
Nathan,
I just played around with this in a VM. It appears the decoder wants a program
name defined. The following worked for me:
decoder name=swg
program_name/program_name
prematchM86 SWG Web Event/prematch
regex offset
Correct me if I'm wrong, but I don't believe you need to setup the match
statements for the date and hostname. I think that should just become..
decoder name=swg1
prematch^M86 SWG Web Event/prematch
regex offset=after_prematch - Action: (\w+);/regex
orderaction/order
/decoder
--Josh
] On
Behalf Of Joshua Garnett
Sent: Saturday, March 01, 2014 9:13 AM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Decoder assistance
Correct me if I'm wrong, but I don't believe you need to setup the match
statements for the date and hostname. I think that should just become..
decoder
