Hi, Can you show us your ossec.conf? I don't see a reason why one one alert would work and not the other (unless it is something you configured). Btw, which version of ossec are you using?
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Mon, Dec 22, 2008 at 1:19 PM, OlRoy OlRoy <[email protected]> wrote: > I can't tell if this is a bug or not. I've probably made changes and > restarted OSSEC at least 50 times now and still can't figure it out. > > I just have one Ubuntu 8.10 agent, and another Ubuntu 8.10 box as the OSSEC > server. All alerts seem to be showing up in alerts.log and the OSSEC server > also sends alerts in syslog form to 127.0.0.1. Everything seems to work > fine, except my one 'Outbound IRC' local rule will show up in alerts.log but > not as a syslog alert. All other alerts that I'm aware of show up in both > alerts.log and syslog format in local0.log like I want. > > # cat local_rules.xml > ... > <group name="local,"> > <rule id="100011" level="15"> > <if_sid>4100</if_sid> > <srcip>192.168.1.101</srcip> > <dstport>6667</dstport> > <description>Outbound IRC</description> > </rule> > </group> > ... > > # cat alerts.log > ** Alert 1229963971.60929: mail - local, > 2008 Dec 22 11:39:31 (beta) 192.168.1.101->/var/log/messages > Rule: 100011 (level 15) -> 'Outbound IRC' > Src IP: 192.168.1.101 > User: (none) > Dec 22 11:39:29 client kernel: [81522.061019] OUTBOUND IN= OUT=eth2 > SRC=192.168.1.101 DST=192.168.1.102 LEN=60 TOS=0x10 PREC=0x00 TTL=64 > ID=60942 DF PROTO=TCP SPT=34740 DPT=6667 WINDOW=5840 RES=0x00 SYN URGP=0 > > # grep 'Outbound IRC' /var/log/HOSTS/127.0.0.1/local0.log > # >
