My confusion was the rule he wrote here has SID 100005 and the logtest result has SID 100007, sorry about that.
Still i'll try to create a generic rule to make sure OSSEC is loading new rules. Anyways if Dan already has tested it, the rule is working, it should be your OSSEC is not loading the rule properly. El viernes, 13 de noviembre de 2015, 8:04:05 (UTC-8), dan (ddpbsd) escribió: > > On Fri, Nov 13, 2015 at 10:59 AM, Pedro S. <sna...@gmail.com <javascript:>> > wrote: > > Hi Daniel, > > > > The alerts you changed to level 0 it isn't the same that you write some > > lines before, isn't it? > > You turn to 0 rule SID 100005 but the alert you show us has SID 1002. > > > > The log message used in the ossec-logtest example matches the log > message that is in the alert. The problem is that ossec-logtest shows > that the log message should match rule 100005, but ossec-analysisd is > matching the log message to 1002. > > > > For testing purposes try to deactivate (change to level 0) rule 1002 and > > check if it is still generating these alerts. > > > > Don't do this. There's no reason to change that to 0. Even for > testing. I've been using OSSEC for a little while now, and I don't > think that would have ever helped with anything. > > > > > > > > > > > El viernes, 13 de noviembre de 2015, 7:44:37 (UTC-8), Daniel Bray > escribió: > >> > >> On Friday, November 13, 2015 at 10:33:04 AM UTC-5, Daniel Bray wrote: > >>>> > >>>> I'm waiting to see if it generates an alert. > >>> > >>> > >> > >> > >> Nope, issue remains. Very confusing. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
