OK, I am a little bit further with my problem. I found out, that OSSEC do
not find the proper decoder for the message. I used bin/ossec-logtest,
pasted the message and got
**Phase 1: Completed pre-decoding.
full event: '[2013-06-24 11:06:29] NOTICE[2422][C-0000474a]
chan_sip.c: Failed to authenticate device
3653<sip:[email protected]>;tag=013a5b95'
hostname: 'vlr-2-lts'
program_name: '(null)'
log: '[2013-06-24 11:06:29] NOTICE[2422][C-0000474a] chan_sip.c:
Failed to authenticate device 3653<sip:[email protected]>;tag=013a5b95'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
Is it possible to force OSSEC to use a specific decoder for a specific
file? Or is that way wrong?
I think OSSEC can not find the right decoder because the keyword "asterisk"
is missing in the log-message?!
Thanks in advance
-Thorsten-
Am Dienstag, 7. Mai 2013 12:49:09 UTC+2 schrieb Thorsten Göllner:
>
> Hi,
>
> I installed OSSEC 2.7 and Asterisk 11.3.0. When I "force" an "file not
> found" error in atserisk, OSSEC will not send an email. Here is a part of
> my config:
>
> <ossec_config>
> <global>
> <email_notification>yes</email_notification>
> <email_to>[email protected]</email_to>
> <smtp_server>127.0.0.1</smtp_server>
> <email_from>[email protected]</email_from>
> </global>
>
> [...]
>
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/asterisk/full</location>
> </localfile>
> [...]
>
> </ossec_config>
>
> ossec.log says:
> [...]
> 2013/05/07 12:29:03 ossec-logcollector(1950): INFO: Analyzing file:
> '/var/log/asterisk/full'.
> [...]
>
> "/var/log/asterisk/full" says:
> [...]
> [2013-05-07 12:30:29] WARNING[10562][C-00002e9e] file.c: File
> /audio/moh-test does not exist in any format
> [2013-05-07 12:30:29] WARNING[10562][C-00002e9e] res_musiconhold.c: Unable
> to open file '/audio/moh-test': No such file or directory
> [...]
>
> Other OSSEC mails will be sent (start info and other warnings).
>
> Any idea?
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
