I can't tell if this is a bug or not. I've probably made changes and restarted
OSSEC at least 50 times now and still can't figure it out.
I just have one Ubuntu 8.10 agent, and another Ubuntu 8.10 box as the OSSEC
server. All alerts seem to be showing up in alerts.log and the OSSEC server
also sends alerts in syslog form to 127.0.0.1. Everything seems to work fine,
except my one 'Outbound IRC' local rule will show up in alerts.log but not as a
syslog alert. All other alerts that I'm aware of show up in both alerts.log
and syslog format in local0.log like I want.
# cat local_rules.xml
...
<group name="local,">
<rule id="100011" level="15">
<if_sid>4100</if_sid>
<srcip>192.168.1.101</srcip>
<dstport>6667</dstport>
<description>Outbound IRC</description>
</rule>
</group>
...
# cat alerts.log
** Alert 1229963971.60929: mail - local,
2008 Dec 22 11:39:31 (beta) 192.168.1.101->/var/log/messages
Rule: 100011 (level 15) -> 'Outbound IRC'
Src IP: 192.168.1.101
User: (none)
Dec 22 11:39:29 client kernel: [81522.061019] OUTBOUND IN= OUT=eth2
SRC=192.168.1.101 DST=192.168.1.102 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=60942
DF PROTO=TCP SPT=34740 DPT=6667 WINDOW=5840 RES=0x00 SYN URGP=0
# grep 'Outbound IRC' /var/log/HOSTS/127.0.0.1/local0.log
#
