Thank you for your swift answer.
I made modifications to my rules as per your suggestions, and still
logtest returns te same result.
**Phase 3: Completed filtering (rules).
Rule id: '18102'
Level: '0'
Description: 'Windows warning event.'
Updated rules are:
<group name="citrix">
<rule id="100100" level="0">
<if_sid>18102</if_sid>
<hostname>SERVER01</hostname>
<extra_data>MetaFrame</extra_data>
<description>Ignore events from citrix servers</description>
</rule>
<rule id="100101" level="5">
<if_sid>100100</if_sid>
<id>9015</id>
<description>Citrix Licensing Errors</description>
</rule>
<rule id="100102" level="5">
<if_sid>100100</if_sid>
<id>9026</id>
<description>Citrix License acquisition Errors</description>
</rule>
<rule id="100103" level="10" frequency="10" timeframe="120">
<if_matched_sid>100102</if_matched_sid>
<description>Multiple license acquisition Errors</description>
</rule>
</group>
It looks like logtest is not using my custom rule...
If have put my citrix_rules.xml in /var/ossec/rules and made and
<include>citrix_rules.xml</include> entry in ossec.conf on the server.
Any other ideas? I am a bit at a loss as to why he's not reporting
100102 to be used.
It looks like the first rule that matches is applied and ossec looks
no further for more specific rules (in this case my custom rule.)
Kind Regards.
Bart
On 7 apr, 20:37, Daniel Cid <[email protected]> wrote:
> Hey,
>
> A few things:
>
> -You have <srcip>x.x.x.x/24</scrip> specified, but there is no srcip
> in the logs. If you want to match
> on the agent ips, use <hostname> instead.
>
> -On your first rule, change <decoded_as>windows</decoded_as> for
> <if_sid>18102</if_sid>
>
> So your first rule would look like:
>
> <rule id="100100" level="0">
> <if_sid>18102</if_sid>
> <hostname>agent1|agent2</hostname>
> <extra_data>MetaFrame</extra_data>
> <description>Ignore events from citrix servers</description>
> </rule>
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On Wed, Apr 7, 2010 at 6:29 AM, Bart V. <[email protected]> wrote:
> > Hi All,
>
> > I hope you all can help me clear this up a bit.
>
> > I would like to monitor my citrix farm for certain events (licensing
> > errors mostly).
> > So I made a citrix_rules.xml:
> > <group name="Citrix">
> > <rule id="100100" level="1">
> > <decoded_as>windows</decoded_as>
> > <srcip>x.x.x.x/24</scrip>
> > <description>Ignore events from citrix servers</description>
> > </rule>
> > <rule id="100101" level="5">
> > <if_sid>100100</if_sid>
> > <id>9015</id>
> > <description>Citrix Grace Period</description>
> > </rule>
> > <rule id="100102" level="5">
> > <if_sid>100100</if_sid>
> > <id>9026</id>
> > <description>Citrix License acquisition Errors</description>
> > </rule>
> > <rule id="100103" level="10" frequency="10" timeframe="3600">
> > <if_matched_sid>100103</if_matched_sid>
> > <description>Multiple CTX License acquisition errors</description>
> > </rule>
> > </group>
>
> > Next I added an <include></include> line to ossec.conf and restarted
> > ossec.
>
> > Finally I tested with ossec-logtest:
> > 2010/04/07 11:15:57 ossec-testrule: INFO: Started (pid: 8790).
> > ossec-testrule: Type one log per line.
>
> > WinEvtLog: System: WARNING(9015): MetaFrame: (no user): no domain:
> > SERVER01: Citrix Presentation Server has entered the grace period. You
> > have 840 hour(s) remaining before this server stops accepting
> > connections from client devices.
>
> > **Phase 1: Completed pre-decoding.
> > full event: 'WinEvtLog: System: WARNING(9015): MetaFrame: (no
> > user): no domain: SERVER01: Citrix Presentation Server has entered the
> > grace period. You have 840 hour(s) remaining before this server stops
> > accepting connections from client devices. '
> > hostname: 'hzlnx01'
> > program_name: '(null)'
> > log: 'WinEvtLog: System: WARNING(9015): MetaFrame: (no user):
> > no domain: SERVER01: Citrix Presentation Server has entered the grace
> > period. You have 840 hour(s) remaining before this server stops
> > accepting connections from client devices. '
>
> > **Phase 2: Completed decoding.
> > decoder: 'windows'
> > status: 'WARNING'
> > id: '9015'
> > extra_data: 'MetaFrame'
> > dstuser: '(no user)'
> > system_name: 'SERVER01'
>
> > **Phase 3: Completed filtering (rules).
> > Rule id: '18102'
> > Level: '0'
> > Description: 'Windows warning event.'
>
> > My question: Why is logtest still using rule18102? and not my custom
> > ruleset?
>
> > --
> > To unsubscribe, reply using "remove me" as the subject.
