On a slightly larger install (200+ devices) and trying to tune the decoders/rules a bit with what were getting.
The main install is working great, but I need (in the next day or so) to go through the full logs and look for any data that are not being decoded. Example - A firewall device from 'Vendor X' that is logging to OSSEC, but there is no decoder for it. As such the data hits no rules and doesn't get an alert ID. I'm looking at archives.log and seeing all the data, but finding it hard to exclude data that 'has' been decoded and logged as a known alert. Any ideas how I can just look at data that is not getting a rule ID so I can write some decoders/rules for the most common stuff? (any useful decoders/rules will be pushed back... but I only have 36 hours access). Thanks Andy
