>
> All right, now run this through ossec-logtest:
>
> ossec: output: 'C\\ossec_logtest\date_test.bat': C:\Program
> Files\ossec-agent>echo off
>
OK, done. I kicked off ossec-logtest:
ossec: output: 'C\\ossec_logtest\date_test.bat': C:\Program
Files\ossec-agent>echo off
Which caused the rule to fire. When I changed it to:
ossec: output: 'C\\ossec_logtest\date_test.bat': C:\Program
Files\ossec-agent>echo off
(no newline) which is what I suspect analysisd is actually seeing,
rule 530 (quite correctly) fired instead.
So, I removed the decoder I was using and changed the rule to:
<rule id="110004" level="1">
<if_sid>530</if_sid>
<match>date_test</match>
<description>The foo date test log monitoring test script has
run</description>
<options>alert_by_email</options>
</rule>
and everything is working as I hoped it would do. SO..SOLVED! Thanks
for pointing me in the right direction.
Regards,
Nick
