Re: [ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

That works like a charm, thank you for your help! Cheers, gert On Thursday, May 25, 2017 at 1:21:52 AM UTC+12, Jesus Linares wrote: > > I don't know what is happening. Both, *regex* and *match *look in the > *full_log > *field. So it should work with regex (escaping reserved characters) and >

Re: [ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

I don't know what is happening. Both, *regex* and *match *look in the *full_log *field. So it should work with regex (escaping reserved characters) and match. It looks like the full_log doesn't contain that information, only the filename. Anyway, if you are using Wazuh 2.0, the "title" and

Re: [ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

I think I'm just really confused as to what "regex" and "match" are actually matching against. Given the following log event: 2017 May 24 12:38:16 (ci-runner__development_12.34.56.78) any->rootcheck File

Re: [ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

Unfortunately, it's still not working, and I'm not sure what else I can try... This is what I'm doing: The log entries that I want to ignore all look like this (from archives.log): 2017 May 24 12:38:16 (ci-runner__development_12.34.56.78) any->rootcheck File

Re: [ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

Aha, thanks for the insights, that makes sense. I've changed the \.* into \S* and restarted everything. It seems to work! Thanks for your help! Cheers, Gert On Tuesday, May 23, 2017 at 1:35:58 AM UTC+12, Jesus Linares wrote: > > You can't use ossec-logtest for rootcheck events. For example, if

Re: [ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

You can't use ossec-logtest for rootcheck events. For example, if I get the full_log of a real alert: "File '/usr/local/nsis/nsis-3.0b2-src/Contrib/Language files/Valencian.nlf' is owned by root and has written permissions to anyone." and I paste it in logtest: *Phase 1: Completed

Re: [ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

On Thu, May 18, 2017 at 4:51 PM, Gert Verhoog wrote: > Hi Jesus, > > I'm having the same problem, and the triggering of this rule causes so much > noise that it's drowning out other alerts. I have added a rule like you > suggested to my local rules: > > > 510 >

[ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

Hi Jesus, I'm having the same problem, and the triggering of this rule causes so much noise that it's drowning out other alerts. I have added a rule like you suggested to my local rules: 510 /var/lib/docker/volumes/\.*/_data/\.* is owned by root and has written permissions to

[ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

Hi Rob, you need to add the conditions to trigger that rule only for your specific files. Use match or regex: 510 Ignore rule 510 for 600 seconds for some files. I think you can't use *same_id *because the decoders are not extracting any ID. Regards. On Monday, April 17,

[ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

Hi Jesus, the first rule is what I am trying. You said I can match the file in but can I do that when the file changes as is not one file I want to ignore. Can I use regex syntax in rules? I used it in decoders as I thought I wasn't able to. Thanks! 510 Ignore rule 510 for 600

[ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

What rule did you use?. Please, share here the rule and the alerts that you want to ignore. I'd need the ID from the decoder to do so There are no xml decoders for rootcheck. What you want to extract in the id field is the file, right?. You can do a *match* in the rule for the file. Regards.

[ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

Hi Jesus, Thanks for the reply. I have noticed when I activate this rule, it blocks all events and does not alert on the first event. Also note, I am trying to use the ID field from my decoder to match against. I can't just use a static match as the ID continuously changes so I'd need the ID

Re: [ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

Hi Rob, it is not possible to create decoders for rootcheck because they are at C level: https://github.com/wazuh/wazuh/blob/master/src/analysisd/analysisd.c#L772 Also, you don't need them, just create a rule like: 510 your conditions (match the file?) Ignore rule 510 during 300

Re: [ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

On Thu, Apr 6, 2017 at 1:28 PM, Rob Williams wrote: > Hi, > > I tried to do this, but I'm getting: > > ERROR: Parent decoder name invalid: 'rootcheck' > ERROR: Error adding decoder plugin > > I don't see the rootcheck decoder within decoder.xml as well, any ideas? > It

[ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

Hi, I tried to do this, but I'm getting: ERROR: Parent decoder name invalid: 'rootcheck' ERROR: Error adding decoder plugin I don't see the rootcheck decoder within decoder.xml as well, any ideas? Thanks again for the help! On Wednesday, April 5, 2017 at 12:26:31 PM UTC-7, Rob Williams wrote: