The ruleset that I emailed didn't work for Server 2008. It seems that they've added two new event ids for 2K8 IPv4. IPv6. I've updated my ruleset file and separated the 2k3/2k8 ipv4 and 2k8 ipv6 rules. I'm not using IPv6 at this time, so I've just created a decoder and tested using what few log entries I could generate. I also had to create three separate decoders. One for the 2k3 ipv4, one for 2k8 ipv4 and one for 2k8 ipv6.
In the last rules file I emailed to the list, I choose IDs in the 12200 range since the named rules were in the 12100 range. I've left the ipv4 rules for 2k3 and 2k8 in the 12200 range and put the 2k8 ipv6 rules in the 12300 range. Before I send the updated decoders and rules, I wanted to get a better understanding of the rule alert levels and rule groups. I've been looking over some of the documentation between the manual and the FAQs. I'm not sure that either of them are documented? I've also not been able to find valid "log types" to monitor. In my case, I just used syslog and it's working but I'm not sure if I should use something else? Where can I find out the alert level scale? Or, how should I assign alert levels to my rules? I've set all my rules to alert level 5 to start. Are the rule groups predefined or can I use my own? I've used some of the groups that I've seen defined in other rules such as "service_availability" but I've gone on to define my own such as "dhcp_lease_action","dhcp_maintenance","dhcp_dns_maintenance" and "dhcp_rogue_server". Where is a list of valid log types that you define on the agent's ossec.conf file when you tell it to monitor a log? When creating a decoder, the documentation lists the valid types. system_name is not listed as one of them but I've seen it used in other rules. Are there other allowed fields that are lot listed in the decoder.xml file? I've used the "extra_data" field to insert MAC addresses but would prefer to use a "MAC" field if it is available. Thanks in advance.
