The pcre for the second instances of Account Name and Account Domain

were grabbing too much. So modify them to only grab the username and domain name.
ossec · May 22, 2020 · 811bdfc · 811bdfc
1 parent d49a9c1
commit 811bdfc
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/etc/decoder.xml b/etc/decoder.xml
@@ -2022,18 +2022,17 @@ Jan  8 19:32:41 tp.lan dropbear[15165]: Pubkey auth succeeded for 'root' with ke
 <decoder name="windows1">
   <type>windows</type>
   <parent>windows</parent>
-  <pcre2> Account Name:[ ]+?([A-Za-z0-9@_-]+?.+)[ ]+?Account</pcre2>
+  <pcre2> Account Name:[ ]+?([A-Za-z0-9@_-]+?)[ ]+?Account</pcre2>
   <order>user</order>
 </decoder>
 
 <decoder name="windows1">
   <type>windows</type>
   <parent>windows</parent>
-  <pcre2>Account Domain:[ ][ ]+?([A-Za-z0-9@_-].+)[ ][ ]+?Logon ID:</pcre2>
+  <pcre2>Account Domain:[ ]+?([A-Za-z0-9@_-]+?)[ ]+?Logon ID:</pcre2>
   <order>extra_data</order>
 </decoder>
 
-
 <!-- Windows decoder -NTsyslog format
   - Will extract extra_data (as win source),action (as win category), id,
   - username and computer name (as url).