Try pulling the log message out of the syslog file that it is stored to. For example, if the message goes to /var/log/messages, pull it out of there. I don't know if the archives messages are the same, for some reason that file is empty on my server...
On Sat, Jan 16, 2010 at 6:00 PM, Dave S <[email protected]> wrote: > I want to be able to reproduce an event for testing modifications to > rules. > > Is grabbing a line out of archives.log and sending it to ossec-logtest > the way to do this? >
