On Thu, Dec 19, 2013 at 10:07 AM, Janelle <[email protected]> wrote: > Hello, > > I was wondering if anyone has any idea how -- when passing a log entry > through ossec-logtest the correct rule fires. However, a restart of ossec > never catches the rule. Even a subsequent logtest run shows the correct rule > still fires, but not "live"? > > Any ideas on what to look for? >
Make sure the log message looks the same to OSSEC as the log message you are testing with. You can turn the log all option on in the OSSEC server (this does add a header to the log entry in archives.log, but that's easy to strip). > thanks > ~J > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
