The entries in the archives file add a bit of data. So it has to be
removed before feeding it through logtest. Which version of ossec are
you using? I tested it with 2.4-beta.
Something in your set may have been changed, because the entry I
pasted worked for me. Try moving your local_decoders or something to
get more of a stock system. I don't have any special Windows decoders
or anything.
# ./ossec-logtest
2010/04/01 09:42:38 ossec-testrule: INFO: Started (pid: 14336).
ossec-testrule: Type one log per line.
WinEvtLog: System: WARNING(9015): MetaFrame: (no user): no domain:
SERVER01: Citrix Presentation Server has entered the grace period. You
have 840 hour(s) remaining before this server stops accepting
connections from client devices.
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: System: WARNING(9015): MetaFrame: (no
user): no domain: SERVER01: Citrix Presentation Server has entered the
grace period. You have 840 hour(s) remaining before this server stops
accepting connections from client devices.'
hostname: 'ix'
program_name: '(null)'
log: 'WinEvtLog: System: WARNING(9015): MetaFrame: (no user):
no domain: SERVER01: Citrix Presentation Server has entered the grace
period. You have 840 hour(s) remaining before this server stops
accepting connections from client devices.'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'WARNING'
id: '9015'
extra_data: 'MetaFrame'
dstuser: '(no user)'
system_name: 'SERVER01'
**Phase 3: Completed filtering (rules).
Rule id: '18102'
Level: '0'
Description: 'Windows warning event.'
On Thu, Apr 1, 2010 at 8:46 AM, Bart V. <[email protected]> wrote:
> hmm,
> Even if that would work, that's not a solution as the entry as I
> pasted is taken literally from /var/ossec/logs/archives/ossec-
> archive.log
> So it should be in the proper format?
>
>
>
--
To unsubscribe, reply using "remove me" as the subject.
