I didn't know how to get the rule to match the log id. I tried doing the
^500$ for example, but it didn't work for me.
This used to be my rule when I was messing around with it:
^400$|^403$|^500$|^501$|^600$
Powershell Event.
I also have the problem in which opening PowerShell and running
Oh yeah, it probably didn't work because I didn't have if_sid maybe the
first time I was doing this.
On Wednesday, December 16, 2015 at 4:07:21 PM UTC-6, Phillipa Moorea wrote:
>
> I didn't know how to get the rule to match the log id. I tried doing the
> ^500$ for example, but it didn't work
Is selinux enabled? Long shot, I know. Regardless, OSSEC needs to be able to
access the client.keys file, both on the agent and the manager, before it can
communicate. If permissions and ownership aren’t the problem – which, they look
fine btw – then I don’t honestly know why it would be