Do you have any idea why the event isn't generating an alert? This record only appears in the ossec/logs/archives/archive.log Nowhere else.
On Apr 13, 11:04 am, santa rocks <[email protected]> wrote: > Any Ideas what my next step is? No Alert logged even though rule > tests and seems to work. > Can this be a bug? > > Here is a record from the archives.log showing the win7 ossec.conf is > sending alerts to the OSSEC HIDS Server, (server configured with > logall option) > > 2012 Apr 13 09:27:29 (E420S-1546) 172.17.3.0->WinEvtLog WinEvtLog: > OAlerts: INFORMATION(300): Microsoft Office 14 Alerts: (no user): no > domain: tp-e420s-1546.mydomain.net: Microsoft Word The password is > incorrect. Word cannot open the document. (C:\...\PW- > linux_baseline_install.docx) P1: 200603 P2: 14.0.6029.1000 P3: P4: > > When I paste this log line into ossec-logtest it seems to pass. > > [root@it-mgmt bin]# ./ossec-logtest > 2012/04/13 10:57:17 ossec-testrule: INFO: Reading local decoder file. > 2012/04/13 10:57:17 ossec-testrule: INFO: Started (pid: 3107). > ossec-testrule: Type one log per line. > > 2012 Apr 13 09:27:29 (E420S-1546) 172.17.3.0->WinEvtLog WinEvtLog: > OAlerts: INFORMATION(300): Microsoft Office 14 Alerts: (no user): no > domain: tp-e420s-1546.mydomain.net: Microsoft Word The password is > incorrect. Word cannot open the document. (C:\...\PW- > linux_baseline_install.docx) P1: 200603 P2: 14.0.6029.1000 P3: P4: > > **Phase 1: Completed pre-decoding. > full event: '2012 Apr 13 09:27:29 (E420S-1546) 172.17.3.0->WinEvtLog > WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 14 > > Alerts: (no user): no domain: tp-e420s-1546.mydomain.net: Microsoft > Word The password is incorrect. Word cannot open the document. (C:\... > \PW-linux_baseline_install.docx) P1: 200603 P2: 14.0.6029.1000 P3: > P4:' > hostname: 'it-mgmt' > program_name: '(null)' > log: '2012 Apr 13 09:27:29 (E420S-1546) 172.17.3.0->WinEvtLog > WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 14 Alerts: (no > user): no domain: tp-e420s-1546.mydomain.net: Microsoft Word The > password is incorrect. Word cannot open the document. (C:\...\PW- > linux_baseline_install.docx) P1: 200603 P2: 14.0.6029.1000 P3: P4:' > > **Phase 2: Completed decoding. > decoder: 'Office-Alerts' > dstuser: 'Microsoft Office 14 Alerts: ' > status: 'tp-e420s-1546.mydomain.net:' > action: 'Microsoft Word The password is incorrect. Word cannot > open the document.' > > **Phase 3: Completed filtering (rules). > Rule id: '109101' > Level: '14' > Description: 'Password Protected Document was submitted' > **Alert to be generated.
