I'm having trouble getting a rule to fire for a Windows agent. I've
written other Windows rules before and they work fine, but I can't
figure out why this isn't working.
Here's what shows up in the Windows System log:
Printer HP Color LaserJet 8500 PS (from WORKSTATION) in session 2 was
set.
I am receiving other alerts from that Windows System log, so I know
the Agent is working properly.
I added the following to /var/ossec/rules/local_rules.xml on my OSSEC
server:
<rule id="101013" level="5">
<if_sid>18100</if_sid>
<match>HP Color LaserJet 8500 PS</match>
<description>Printer test</description>
</rule>
I then restarted both the OSSEC Server and the OSSEC Agent on the
Windows box. I can generate new log entries on the Windows box, but
they never show up on the OSSEC server.
I then tried removing the if_sid line making the rule just:
<rule id="101013" level="5">
<match>HP Color LaserJet 8500 PS</match>
<description>Printer test</description>
</rule>
I then restarted both the OSSEC Server and the OSSEC Agent on the
Windows box. It still doesn't work.
Here are my questions:
1. What is the bare minimum in a rule definition? Can I get by with
just a <match>?
2. After adding the rule to local_rules.xml, is it necessary to
restart both the server and the agent? Or just one or the other?
3. Is there something obviously wrong with my rule that would prevent
it from matching the above log snippet?
Thanks,
Doug Burks
