On Fri, Nov 13, 2015 at 11:16 AM, Pedro S. <snao...@gmail.com> wrote: > My confusion was the rule he wrote here has SID 100005 and the logtest > result has SID 100007, sorry about that. >
You're right, I totally missed that. Now I'm wondering what 100007 is. > Still i'll try to create a generic rule to make sure OSSEC is loading new > rules. > > Anyways if Dan already has tested it, the rule is working, it should be your > OSSEC is not loading the rule properly. > > > El viernes, 13 de noviembre de 2015, 8:04:05 (UTC-8), dan (ddpbsd) escribió: >> >> On Fri, Nov 13, 2015 at 10:59 AM, Pedro S. <sna...@gmail.com> wrote: >> > Hi Daniel, >> > >> > The alerts you changed to level 0 it isn't the same that you write some >> > lines before, isn't it? >> > You turn to 0 rule SID 100005 but the alert you show us has SID 1002. >> > >> >> The log message used in the ossec-logtest example matches the log >> message that is in the alert. The problem is that ossec-logtest shows >> that the log message should match rule 100005, but ossec-analysisd is >> matching the log message to 1002. >> >> >> > For testing purposes try to deactivate (change to level 0) rule 1002 and >> > check if it is still generating these alerts. >> > >> >> Don't do this. There's no reason to change that to 0. Even for >> testing. I've been using OSSEC for a little while now, and I don't >> think that would have ever helped with anything. >> >> > >> > >> > >> > >> > El viernes, 13 de noviembre de 2015, 7:44:37 (UTC-8), Daniel Bray >> > escribió: >> >> >> >> On Friday, November 13, 2015 at 10:33:04 AM UTC-5, Daniel Bray wrote: >> >>>> >> >>>> I'm waiting to see if it generates an alert. >> >>> >> >>> >> >> >> >> >> >> Nope, issue remains. Very confusing. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
