Re: [ossec-list] Debugging a rule that fires when tested with ossec-logtest but never fires in production

Hi Kevin A silly question Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com El 2 de junio de 2016 a las 22:45:01, Kevin Branch ( ke...@branchnetconsulting.com) escribió: I am running an OSSEC 2.8.3 server and a Windows computer with OSSEC 2.8.3 agent. The rule simply

Re: [ossec-list] Debugging a rule that fires when tested with ossec-logtest but never fires in production

Thanks for helping me along. My mistake was I was shoving this into ossec-logtest, log record prefix data and all 2016 Jun 02 21:58:38 (XYZ-O9020) 192.168.15.0->WinEvtLog 2016 Jun 02 17:58:36 WinEvtLog: Application: INFORMATION(1): chromoting: (no user): no domain: XYZ-O9020: Client

Re: [ossec-list] Debugging a rule that fires when tested with ossec-logtest but never fires in production

On Thu, Jun 2, 2016 at 10:42 PM, Kevin Branch wrote: > I am running an OSSEC 2.8.3 server and a Windows computer with OSSEC 2.8.3 > agent. > > The rule simply alerts on Chrome Remote Desktop events. > > It uses this custom decoder: > > > : chromoting:

[ossec-list] Debugging a rule that fires when tested with ossec-logtest but never fires in production

I am running an OSSEC 2.8.3 server and a Windows computer with OSSEC 2.8.3 agent. The rule simply alerts on Chrome Remote Desktop events. It uses this custom decoder: : chromoting: \.*chromoting The rule is: chromoting Chrome Remote Desktop event - generic My test event is: