> Having never seen your logs, my guess would be: "> 2012 Sep 17 > 16:54:28 )agent_name) apent_id->powershell -File >> C\/OSSEC-Test/OSSEC/ossec_read_new_xml_logs.ps1 [script parameters]" > > But, since you do know what your logs are supposed to look like, maybe > you should be telling me? >
Fair point. > It looks like you're using the command or full_command options, but > you didn't mention it in the original email so that can't be right. > Maybe you could fashion your rule to be similar to those types of > rules though. I'm using the command local file type. Can you sppply a pointer to which rules use that file type please? Regards, Nick
