On Wed, Oct 31, 2012 at 8:04 AM, Andy <[email protected]> wrote: > On a slightly larger install (200+ devices) and trying to tune the > decoders/rules a bit with what were getting. > > The main install is working great, but I need (in the next day or so) to go > through the full logs and look for any data that are not being decoded. > Example - A firewall device from 'Vendor X' that is logging to OSSEC, but > there is no decoder for it. As such the data hits no rules and doesn't get > an alert ID. > > I'm looking at archives.log and seeing all the data, but finding it hard to > exclude data that 'has' been decoded and logged as a known alert. > > Any ideas how I can just look at data that is not getting a rule ID so I can > write some decoders/rules for the most common stuff? (any useful > decoders/rules will be pushed back... but I only have 36 hours access). > > Thanks > Andy > > > >
Run all of the logs through ossec-logtest. I wrote a script a while back to output log messages that didn't decode/trigger a rule. Shouldn't take you long to write something similar.
