Hello. This is a very old thread. But I am facing some similar issues. Can you post your rules that you did for that to work.
Thnaks. On Friday, April 13, 2012 at 10:04:21 PM UTC+4, tomcelica wrote: > > Any Ideas what my next step is? No Alert logged even though rule > tests and seems to work. > Can this be a bug? > > Here is a record from the archives.log showing the win7 ossec.conf is > sending alerts to the OSSEC HIDS Server, (server configured with > logall option) > > 2012 Apr 13 09:27:29 (E420S-1546) 172.17.3.0->WinEvtLog WinEvtLog: > OAlerts: INFORMATION(300): Microsoft Office 14 Alerts: (no user): no > domain: tp-e420s-1546.mydomain.net: Microsoft Word The password is > incorrect. Word cannot open the document. (C:\...\PW- > linux_baseline_install.docx) P1: 200603 P2: 14.0.6029.1000 P3: P4: > > When I paste this log line into ossec-logtest it seems to pass. > > > [root@it-mgmt bin]# ./ossec-logtest > 2012/04/13 10:57:17 ossec-testrule: INFO: Reading local decoder file. > 2012/04/13 10:57:17 ossec-testrule: INFO: Started (pid: 3107). > ossec-testrule: Type one log per line. > > 2012 Apr 13 09:27:29 (E420S-1546) 172.17.3.0->WinEvtLog WinEvtLog: > OAlerts: INFORMATION(300): Microsoft Office 14 Alerts: (no user): no > domain: tp-e420s-1546.mydomain.net: Microsoft Word The password is > incorrect. Word cannot open the document. (C:\...\PW- > linux_baseline_install.docx) P1: 200603 P2: 14.0.6029.1000 P3: P4: > > > **Phase 1: Completed pre-decoding. > full event: '2012 Apr 13 09:27:29 (E420S-1546) 172.17.3.0- > >WinEvtLog WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 14 > Alerts: (no user): no domain: tp-e420s-1546.mydomain.net: Microsoft > Word The password is incorrect. Word cannot open the document. (C:\... > \PW-linux_baseline_install.docx) P1: 200603 P2: 14.0.6029.1000 P3: > P4:' > hostname: 'it-mgmt' > program_name: '(null)' > log: '2012 Apr 13 09:27:29 (E420S-1546) 172.17.3.0->WinEvtLog > WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 14 Alerts: (no > user): no domain: tp-e420s-1546.mydomain.net: Microsoft Word The > password is incorrect. Word cannot open the document. (C:\...\PW- > linux_baseline_install.docx) P1: 200603 P2: 14.0.6029.1000 P3: P4:' > > **Phase 2: Completed decoding. > decoder: 'Office-Alerts' > dstuser: 'Microsoft Office 14 Alerts: ' > status: 'tp-e420s-1546.mydomain.net:' > action: 'Microsoft Word The password is incorrect. Word cannot > open the document.' > > **Phase 3: Completed filtering (rules). > Rule id: '109101' > Level: '14' > Description: 'Password Protected Document was submitted' > **Alert to be generated. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.