I have a log file, each "log" consists of 4 lines and is separated by ** Alert. [Simple enough]
Can somebody try to explain why this is not working??
** Alert 1554131277.244802: - pam,syslog, 2019 Apr 01 15:07:57 OSSEC_Hids->/var/log/auth.log Rule: 5502 (level 3) -> 'Login session closed.' Apr 1 15:07:56 OSSEC_Hids sudo: pam_unix(sudo:session): session closed for user root
As shown in the below screenshot:
And I am using
multiline: pattern: '^\*' negate: true match: after
As shown in screenshot below:
The regex must work:
I am going crazy.