On Fri, Nov 13, 2015 at 10:59 AM, Pedro S. <snao...@gmail.com> wrote: > Hi Daniel, > > The alerts you changed to level 0 it isn't the same that you write some > lines before, isn't it? > You turn to 0 rule SID 100005 but the alert you show us has SID 1002. >
The log message used in the ossec-logtest example matches the log message that is in the alert. The problem is that ossec-logtest shows that the log message should match rule 100005, but ossec-analysisd is matching the log message to 1002. > For testing purposes try to deactivate (change to level 0) rule 1002 and > check if it is still generating these alerts. > Don't do this. There's no reason to change that to 0. Even for testing. I've been using OSSEC for a little while now, and I don't think that would have ever helped with anything. > > > > > El viernes, 13 de noviembre de 2015, 7:44:37 (UTC-8), Daniel Bray escribió: >> >> On Friday, November 13, 2015 at 10:33:04 AM UTC-5, Daniel Bray wrote: >>>> >>>> I'm waiting to see if it generates an alert. >>> >>> >> >> >> Nope, issue remains. Very confusing. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
