now i did it another way wrote the decoder *<decoder name="kaspersky">* * <prematch>^\d\d\d\d \w+ \d\d \d\d:\d\d:\d\d \(\w+\) 0\.0\.0\.0->WinEvtLog WinEvtLog: Kaspersky Event Log: </prematch>* *</decoder>*
write the rule *<group name="kasper">* * <rule id="100100" level="8">* * <decoded_as>kaspersky</decoded_as>* * <description>Any Kasper Activity</description>* * </rule>* *</group>* see logs in archive.log, see alert when test log in ossec-logtest *root@domU-12-31-39-16-2A-48:/var/ossec/bin# ./ossec-logtest -a* *2013/09/20 11:31:33 ossec-testrule: INFO: Reading local decoder file.* *2013/09/20 11:31:33 ossec-testrule: INFO: Started (pid: 28710).* *2013 Sep 20 11:31:11 (W7Dell) 0.0.0.0->WinEvtLog WinEvtLog: Kaspersky Event Log: WARNING(4660): avp: (no user): no domain: adminpk: ▒▒▒▒ C:\Users\Admin\Desktop\crack.exe, ▒▒▒▒▒▒▒▒▒▒: ▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒ 'Trojan.Win32.Genome.zztw'. ▒▒▒▒▒▒▒▒▒▒▒▒: adminpk\Admin, ▒▒▒▒▒▒▒▒▒:localhost * *** Alert 1379676696.1: mail - kasper* *2013 Sep 20 11:31:36 domU-12-31-39-16-2A-48->stdin* *Rule: 100100 (level 8) -> 'Any Kasper Activity'* *2013 Sep 20 11:31:11 (W7Dell) 0.0.0.0->WinEvtLog WinEvtLog: Kaspersky Event Log: WARNING(4660): avp: (no user): no domain: adminpk: ▒▒▒▒ C:\Users\Admin\Desktop\crack.exe, ▒▒▒▒▒▒▒▒▒▒: ▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒ 'Trojan.Win32.Genome.zztw'. ▒▒▒▒▒▒▒▒▒▒▒▒: adminpk\Admin, ▒▒▒▒▒▒▒▒▒:localhost * but dont see alert from ossec -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
