I don't think you can. How would ossec-logtest know where the log message came from if you paste the message to stdin?
On Mon, Mar 7, 2011 at 5:22 PM, Shaikat Majumdar <[email protected]> wrote: > How would you go about testing this feature (<location>) ... with > ossec-logtest ? > > The way I am setting this up is I using the <location> tag for specifying > the log file location in the /var/ossec/etc/shared/agent.conf file. > > In the alert log (this is based on a custom rule that I have defined) I can > see my rule getting fired and an alert being generated as so : > > ** Alert 1299248765.8089745: mailĀ - flextrade-app > 2011 Mar 04 09:26:05 (nyflexdev1) > 10.10.13.10->/home/appuser/flexapp/flextrade/java/logs/oexlistener.log > Rule: 106004 (level 10) -> 'Fatal Exception occurred in the OEX Listener > log, please check!' > Src IP: (none) > User: (none) > ERROR 2011-03-04 09:24:36,182 OEXClient:214 > flextrade.api.channel.APIChannelException : Failed to connect to 'flexdev' : > '30456' > > Now what I am trying to do is use the location information (shown in bold > above) in my custom rule. > So does the OSSEC rules syntax provide me this information and if so is > there a way to test this using ossec-logtest ? > > ---- > Shaikat > > On 3/7/11 3:58 PM, dan (ddp) wrote: > > You can try <location>. I can't find any real documentation on it at > the moment, and I don't think I've done any real testing with it. > > On Mon, Mar 7, 2011 at 3:49 PM, Shaikat Majumdar > <[email protected]> wrote: > > > Does OSSEC pre-decoding provide a way to glean the log filename causing an > alert ? > > If not, can this be done using a custom-defined decoder ? > > -- > Shaikat Majumdar > Millburn Ridgefield Corporation > >
