I ended up getting it working. I think it had to do with the timing of writing test entries to the log file I was processing. Sorry to bother.
BTW, this is an absolutely fantastic product! On Monday, June 15, 2015 at 3:45:34 PM UTC-5, Mark Feferman wrote: > > I created a custom decoder (in local_decoder.xml) to parse a log file from > an application that is similar in format to syslog. > I also created the corresponding custom rule (in local_rules.xml) to > trigger on a particular event. > > While testing all of this, when I run ossec-logtest, I get success. > > But now that I restart OSSEC, I never receive and alert. I look at the > ossec.log file and it has analyzed the particular log file of interest. > > What am I missing? > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
