Good afternoon,
there's every chance I'm missing something obvious, if so a mild beating
with the cluebat woul be welcomed.
I'm trying to get an alert raised from the output of a script (a simple
test Windows batch file in this case). The batch file is:
echo off
echo date_test:
date /t
I have a decoder to look for the output (or at least part of it), this
being:
<decoder name="date_test>
<prematch>date_test</prematch>
</decoder>
defined in the local_decoder.xml. Finally I have a rule, this being:
<!-- Fires whenever there's some output from the test log monitoring
script -->
<rule id="110004" level="1">
<decoded_as>date_test</decoded_as>
<description>The foo date test log monitoring test script has
run</description>
<options>alert_by_email</options>
</rule>
defined in local_rules.xml. I've tested it with logtest, the output of
this being:
root@nick-VirtualBox:/var/ossec# ./bin/ossec-logtest
2012/07/13 15:45:25 ossec-testrule: INFO: Reading local decoder file.
2012/07/13 15:45:25 ossec-testrule: INFO: Started (pid: 2531).
ossec-testrule: Type one log per line.
date_test
**Phase 1: Completed pre-decoding.
full event: 'date_test'
hostname: 'nick-VirtualBox'
program_name: '(null)'
log: 'date_test'
**Phase 2: Completed decoding.
decoder: 'date_test'
**Phase 3: Completed filtering (rules).
Rule id: '110000'
Level: '1'
Description: 'The date test log monitoring test script has run'
**Alert to be generated.
I have logall enabled and I'm seeing the output of the script in the
archive.log but I never see an alert in alert.log.
Any (and all) help appreciated.
Regards,
Nick
