Good afternoon, I'm after a bit of advice on custom rule debugging as I've got as far as I can along the path and think I should be seeing an alert but I'm not.
I have a log file whose content is being collected via a powershell script. The log file uses xml to delimit entries and I need to get one event per xml delimited block. This is working fine and I'm getting one entry in the archive.log for each of the events in the source log. I've then taken a single event from the archive log and placed in in a file called test.nd. I had a problem (the entry was being intercepted by rule 1003) which was solved by making my custom rule a child of 1003. When I run: cat test.nd | ossec-logtest It's reporting that the event was decoded by my custom decoder and triggered my custom rule. However, when I restart ossec with the rule in place and see the events arriving in the archive.log I'm not seeing the corresponding entry in the alert.log. What am I missing please? Regards, Nick
