Incredibly basic rule(s), as follows to get a match to the software restriction policies on a MS pc.
<rule id="100037" level="11"> <match>WARNING(865)</match> <description>Tried to run something from the wrong area</description> </rule> Also tried <rule id="100036" level="11"> <match>SoftwareRestrictionPolicies</match> <description>Tried to run something from the wrong area</description> </rule> and <rule id="100035" level="11"> <match>Microsoft-Windows-SoftwareRestrictionPolicies</match> <description>Tried to run something from the wrong area</description> </rule> Log test produces the following ossec-testrule: Type one log per line. 015 Nov 25 13:19:08 (seuk-d15) 192.168.10.71->WinEvtLog 2015 Nov 25 13:19:06 WinEvtLog: Application: WARNING(865): Microsoft-Windows-Softwa reRestrictionPolicies: **Phase 1: Completed pre-decoding. full event: '015 Nov 25 13:19:08 (seuk-d15) 192.168.10.71->WinEvtLog 2015 Nov 25 13:19:06 WinEvtLog: Application: WARNING(865): Micr osoft-Windows-SoftwareRestrictionPolicies:' hostname: 'ossec' program_name: '(null)' log: '015 Nov 25 13:19:08 (seuk-d15) 192.168.10.71->WinEvtLog 2015 Nov 25 13:19:06 WinEvtLog: Application: WARNING(865): Microsoft-W indows-SoftwareRestrictionPolicies:' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '100037' Level: '11' Description: 'Tried to run something from the wrong area' **Alert to be generated. So looks good, all three have matched under logtest (the test line is copied from the archive file after logall applied...) But I get no alerts after restarting . Its so basic, I can't see what can possibly be wrong, but been looking at it for over a day now and starting to go abit mad ;-) And ideas ? Please ? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.