On Mon, Mar 5, 2012 at 6:09 AM, C. L. Martinez <[email protected]> wrote: > On Mon, Mar 5, 2012 at 11:49 AM, dan (ddp) <[email protected]> wrote: >> I should probably mention that I think the -a flag for ossec-logtest >> will give you OSSEC alert log output. Redirect that to a file or >> possibly to ossec-reportd, and you should probably get what you're >> after. >> > > Thanks Dan. It is correct, cp.logs is in ossec alert format. For example: > > ** Alert 1330945041.114: - firewall, > 2012 Mar 05 10:57:21 ossecsrv->stdin > Rule: 100100 (level 2) -> 'CheckPoint Firewall-1 rules grouped.' > Src IP: 192.168.1.7 > Dst IP: 192.168.2.3 > Dst Port: domain-udp > "113" "26Feb2012" "23:59:04" "bond0.30" "CHCKPNT1" "Log" "Drop" > "domain-udp" "47082" "192.168.1.7" "192.168.2.3" "udp" "82" "" > "82-Standard" "" "inzone: Internal; outzone: Internal; service_id: > domain-udp" "VPN-1 Power/UTM" "" "" > > doesn't trigger alert 100101 instead of 100100 ...
It doesn't trigger 100101 because action isn't decoded.
