On Mar 14, 2017 10:57 AM, <ehollis3...@gmail.com> wrote: Hello All,
I have pointed my Symantec AV logs to our OSSEC server via syslog over port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have created a custom decoder and parser, and can confirm that it is working: **Phase 2: Completed decoding. decoder: 'Symantec' **Phase 3: Completed filtering (rules). Rule id: '100006' Level: '7' Description: 'Symantec: virus found' **Alert to be generated. Do I need to point OSSEC to monitor the incoming syslog so that it can alert on it? Again, I am seeing the straight syslog coming into ELSA, but no OSSEC alert appears to be generated. Figure out which syslog file they're saved in and make sure ossec has a localfile entey for that file. Make sure you restarted your ossec processes after adding the decoder/rules Thanks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.