To respond to my own question: It is fixed! I had to restart ossec-hids on the client/agent and voila: it works!
Thanks again for all the help! Michiel 2012/11/20 Michiel van Es <vanesmich...@gmail.com> > > > 2012/11/19 dan (ddp) <ddp...@gmail.com> > >> <snip> >> >> The decoder is clavister, not clavister-alert. >> >> Before changing the decoder name: >> **Phase 1: Completed pre-decoding. >> full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] >> EFW: RULE: prio=6 id=06000051 rev=1 event=ruleset_drop_packet >> action=drop rule=d_all_any_to_external recvif=cpub1003 >> srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP ipdatalen=20 >> srcport=80 destport=49511 ack=1 fin=1' >> hostname: '10.170.80.3' >> program_name: '(null)' >> log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=06000051 rev=1 >> event=ruleset_drop_packet action=drop rule=d_all_any_to_external >> recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP >> ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1' >> >> **Phase 2: Completed decoding. >> decoder: 'clavister' >> action: 'drop' >> srcip: '10.170.83.14' >> dstip: '81.83.145.188' >> srcport: '80' >> dstport: '49511' >> extra_data: 'ack=1 fin=1' >> >> >> After changing the decoder name: >> **Phase 1: Completed pre-decoding. >> full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] >> EFW: RULE: prio=6 id=06000051 rev=1 event=ruleset_drop_packet >> action=drop rule=d_all_any_to_external recvif=cpub1003 >> srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP ipdatalen=20 >> srcport=80 destport=49511 ack=1 fin=1' >> hostname: '10.170.80.3' >> program_name: '(null)' >> log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=06000051 rev=1 >> event=ruleset_drop_packet action=drop rule=d_all_any_to_external >> recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP >> ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1' >> >> **Phase 2: Completed decoding. >> decoder: 'clavister' >> action: 'drop' >> srcip: '10.170.83.14' >> dstip: '81.83.145.188' >> srcport: '80' >> dstport: '49511' >> extra_data: 'ack=1 fin=1' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '700006' >> Level: '12' >> Description: 'Clavister drop firewall!' >> **Alert to be generated. >> >> >> <snip> >> > > Ok, thanks, I can see now via logtest that it will alert. I don't see > anything appearing in the alert.log logfile on the manager. > Could the syntax be wrong of the agent.conf and location : > <agent_config name="*machine*"> > <localfile> > <log_format>syslog</log_format> > <location>/data/logs/host/fw-10.170.80.*.log</location> > </localfile> > > Notice I use fw-10.170.80.*.log, will the wildcard work? > (the firewall logfiles are named fw-10.170.80.2.log, fw-10.170.80.3.log, > fw-10.170.80.4.log, etc. > > Michiel >