Hi,
I have an agent running and I do get some alerts from it. Such as the
agent starting alert. I'm trying to monitor the logs of my SAN frames.
They cannot talk directly to the OSSEC server due to a number of factors,
so they are set up to talk to an intermediary server. That part is
working. I see the SAN frames log events show up in /var/log/messages on
my intermediary server. However, the agent never passes these along to the
OSSEC server as near as I can tell. I don't see any alerts in alerts.log.
I am receiving events from my other agents on other servers just fine.
I have written a custom rule to filter for the host names of the SAN frames:
<rule id="110000" level="12">
<hostname>shelf_1</hostname>
<description>Event from Coraid SAN Frames.</description>
</rule>
Output of ossec-logtest:
ossec-testrule: Type one log per line.
May 15 13:03:26 shelf_1 Hello World 29
**Phase 1: Completed pre-decoding.
full event: 'May 15 13:03:26 shelf_1 Hello World 29'
hostname: 'shelf_1'
program_name: '(null)'
log: 'Hello World 29'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '110000'
Level: '12'
Description: 'Event from Coraid SAN Frames.'
**Alert to be generated.
As I understand it I don't have to have a decoder and the above output
would seem to support that. I cannot figure out why I can't see these
events on the OSSEC server? Any help would be appreciated. Thank you.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
