I think you can run 'ossec-logtest -d' to find out what's being loaded. You can also try making your rules a little broader (taking out options and whatnot), until you find a combination that works. After you find one that works you can put the options back in until it stops working. Just kind of find out what works and what doesn't.
On Wed, Apr 21, 2010 at 6:27 AM, Bart V. <[email protected]> wrote: > Thank you for your swift answer. > > I made modifications to my rules as per your suggestions, and still > logtest returns te same result. > > **Phase 3: Completed filtering (rules). > Rule id: '18102' > Level: '0' > Description: 'Windows warning event.' > > Updated rules are: > > <group name="citrix"> > <rule id="100100" level="0"> > <if_sid>18102</if_sid> > <hostname>SERVER01</hostname> > <extra_data>MetaFrame</extra_data> > <description>Ignore events from citrix servers</description> > </rule> > <rule id="100101" level="5"> > <if_sid>100100</if_sid> > <id>9015</id> > <description>Citrix Licensing Errors</description> > </rule> > <rule id="100102" level="5"> > <if_sid>100100</if_sid> > <id>9026</id> > <description>Citrix License acquisition Errors</description> > </rule> > <rule id="100103" level="10" frequency="10" timeframe="120"> > <if_matched_sid>100102</if_matched_sid> > <description>Multiple license acquisition Errors</description> > </rule> > </group> > > It looks like logtest is not using my custom rule... > If have put my citrix_rules.xml in /var/ossec/rules and made and > <include>citrix_rules.xml</include> entry in ossec.conf on the server. > > Any other ideas? I am a bit at a loss as to why he's not reporting > 100102 to be used. > > It looks like the first rule that matches is applied and ossec looks > no further for more specific rules (in this case my custom rule.) > > Kind Regards. > Bart > > -- Subscription settings: http://groups.google.com/group/ossec-list/subscribe?hl=en
