Hey,
A few things:
-You have <srcip>x.x.x.x/24</scrip> specified, but there is no srcip
in the logs. If you want to match
on the agent ips, use <hostname> instead.
-On your first rule, change <decoded_as>windows</decoded_as> for
<if_sid>18102</if_sid>
So your first rule would look like:
<rule id="100100" level="0">
<if_sid>18102</if_sid>
<hostname>agent1|agent2</hostname>
<extra_data>MetaFrame</extra_data>
<description>Ignore events from citrix servers</description>
</rule>
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, Apr 7, 2010 at 6:29 AM, Bart V. <[email protected]> wrote:
> Hi All,
>
> I hope you all can help me clear this up a bit.
>
> I would like to monitor my citrix farm for certain events (licensing
> errors mostly).
> So I made a citrix_rules.xml:
> <group name="Citrix">
> <rule id="100100" level="1">
> <decoded_as>windows</decoded_as>
> <srcip>x.x.x.x/24</scrip>
> <description>Ignore events from citrix servers</description>
> </rule>
> <rule id="100101" level="5">
> <if_sid>100100</if_sid>
> <id>9015</id>
> <description>Citrix Grace Period</description>
> </rule>
> <rule id="100102" level="5">
> <if_sid>100100</if_sid>
> <id>9026</id>
> <description>Citrix License acquisition Errors</description>
> </rule>
> <rule id="100103" level="10" frequency="10" timeframe="3600">
> <if_matched_sid>100103</if_matched_sid>
> <description>Multiple CTX License acquisition errors</description>
> </rule>
> </group>
>
> Next I added an <include></include> line to ossec.conf and restarted
> ossec.
>
> Finally I tested with ossec-logtest:
> 2010/04/07 11:15:57 ossec-testrule: INFO: Started (pid: 8790).
> ossec-testrule: Type one log per line.
>
> WinEvtLog: System: WARNING(9015): MetaFrame: (no user): no domain:
> SERVER01: Citrix Presentation Server has entered the grace period. You
> have 840 hour(s) remaining before this server stops accepting
> connections from client devices.
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'WinEvtLog: System: WARNING(9015): MetaFrame: (no
> user): no domain: SERVER01: Citrix Presentation Server has entered the
> grace period. You have 840 hour(s) remaining before this server stops
> accepting connections from client devices. '
> hostname: 'hzlnx01'
> program_name: '(null)'
> log: 'WinEvtLog: System: WARNING(9015): MetaFrame: (no user):
> no domain: SERVER01: Citrix Presentation Server has entered the grace
> period. You have 840 hour(s) remaining before this server stops
> accepting connections from client devices. '
>
> **Phase 2: Completed decoding.
> decoder: 'windows'
> status: 'WARNING'
> id: '9015'
> extra_data: 'MetaFrame'
> dstuser: '(no user)'
> system_name: 'SERVER01'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '18102'
> Level: '0'
> Description: 'Windows warning event.'
>
> My question: Why is logtest still using rule 18102? and not my custom
> ruleset?
>
>
> --
> To unsubscribe, reply using "remove me" as the subject.
>
