On Mar 14, 2017 10:57 AM, <ehollis3...@gmail.com> wrote:
Hello All,
I have pointed my Symantec AV logs to our OSSEC server via syslog over port
514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have
created a custom decoder and parser, and can confirm that it is working:
**Phase 2: Completed decoding.
decoder: 'Symantec'
**Phase 3: Completed filtering (rules).
Rule id: '100006'
Level: '7'
Description: 'Symantec: virus found'
**Alert to be generated.
Do I need to point OSSEC to monitor the incoming syslog so that it can
alert on it? Again, I am seeing the straight syslog coming into ELSA, but
no OSSEC alert appears to be generated.
Figure out which syslog file they're saved in and make sure ossec has a
localfile entey for that file.
Make sure you restarted your ossec processes after adding the decoder/rules
Thanks
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
