[ossec-list] Logtest - filters by unexpected rule.

Wed, 07 Apr 2010 10:22:43 -0700 

Hi All,

I hope you all can help me clear this up a bit.

I would like to monitor my citrix farm for certain events (licensing
errors mostly).
So I made a citrix_rules.xml:
<group name="Citrix">
<rule id="100100" level="1">
        <decoded_as>windows</decoded_as>
        <srcip>x.x.x.x/24</scrip>
        <description>Ignore events from citrix servers</description>
</rule>
<rule id="100101" level="5">
        <if_sid>100100</if_sid>
        <id>9015</id>
        <description>Citrix Grace Period</description>
</rule>
<rule id="100102" level="5">
  <if_sid>100100</if_sid>
  <id>9026</id>
  <description>Citrix License acquisition Errors</description>
</rule>
<rule id="100103" level="10" frequency="10" timeframe="3600">
  <if_matched_sid>100103</if_matched_sid>
  <description>Multiple CTX License acquisition errors</description>
</rule>
</group>

Next I added an <include></include> line to ossec.conf and restarted
ossec.

Finally I tested with ossec-logtest:
2010/04/07 11:15:57 ossec-testrule: INFO: Started (pid: 8790).
ossec-testrule: Type one log per line.

WinEvtLog: System: WARNING(9015): MetaFrame: (no user): no domain:
SERVER01: Citrix Presentation Server has entered the grace period. You
have 840 hour(s) remaining before this server stops accepting
connections from client devices.


**Phase 1: Completed pre-decoding.
       full event: 'WinEvtLog: System: WARNING(9015): MetaFrame: (no
user): no domain: SERVER01: Citrix Presentation Server has entered the
grace period. You have 840 hour(s) remaining before this server stops
accepting connections from client devices.  '
       hostname: 'hzlnx01'
       program_name: '(null)'
       log: 'WinEvtLog: System: WARNING(9015): MetaFrame: (no user):
no domain: SERVER01: Citrix Presentation Server has entered the grace
period. You have 840 hour(s) remaining before this server stops
accepting connections from client devices.  '

**Phase 2: Completed decoding.
       decoder: 'windows'
       status: 'WARNING'
       id: '9015'
       extra_data: 'MetaFrame'
       dstuser: '(no user)'
       system_name: 'SERVER01'

**Phase 3: Completed filtering (rules).
       Rule id: '18102'
       Level: '0'
       Description: 'Windows warning event.'

My question: Why is logtest still using rule 18102? and not my custom
ruleset?


-- 
To unsubscribe, reply using "remove me" as the subject.

Reply via email to