Thank you very much dan, ossec-logtest was working for me when I was passing just the string "session_server_principal_name:cr3vm2 " but I couldn't get the alert when passing the whole log entry (after the prematch). I had tried already with no decoder and a rule almost similar to the one you suggested. I think it was due to the fact that I used rule 18100 instead of the 18104 in the <if_sid> tag. This is fixed (and a lesson learned as well)!!
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
