velvin, can you try to run ossec-logtest more verbose with command "ossec-logtest -v" and paste the results here? I had similar issues with ossec-logtest giving different results than ossec-analysisd in the past.
Jan On Fri, Aug 29, 2014 at 8:44 PM, dan (ddp) <[email protected]> wrote: > On Fri, Aug 29, 2014 at 12:16 PM, velvin <[email protected]> wrote: > > Regardless of the rule ID it triggers, the issue I'm seeing is that while > > manually testing the rule using the ossec-logtest tells me "alert to be > > generated" but in actual testing (causing the event ID from a host with > > agent running) no alerts or log entry is generated (except rule ID > 1002). I > > know the workstation is sending the correct log since I see rule ID 1002 > > generate the alert but the windows msauth rules are not hit. I am stuck > > here.... > > > > Make sure the OSSEC processes restart after you make changes. > Other than that, I cannot reproduce this issue, so I have no clue. > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
