That worked! I think I was not testing it properly. I used the tail -f as
you said and added the line with the alert. I really appreciate your help.
I have one more question. Is there anyway to monitor new log files as they
appear?
This is the naming convention:
BatchLog_LT_01192016203220
In the config file could I put something like ? Would that look at all
files with that name convention? It seems the last 6 numbers may change
<localfile>
<location>C:\logs\Batch_Log_LT_%m%d%y</location>
<log_format>syslog</log_format>
</localfile>
On Tuesday, January 26, 2016 at 10:46:06 AM UTC-5, LostInThe Tubez wrote:
>
> Great, so we know OSSEC is matching against your custom rule. Next step
> would be to make sure the alert is showing up in
> /var/ossec/logs/alerts/alerts.log on the OSSEC manager. Double check you’ve
> restarted the manager since you made the edit to local_rules.xml. If your
> OSSEC manager isn’t too busy, I find the easiest way to do a live test of a
> rule is to tail –f the alerts.log on the server so you can watch as new
> logs are written to it. Then, on the agent, copy/paste your test log line
> into C:\logs\BatchLog_LT_01192016203220. After a moment or two, you should
> see it show up in the tailed alerts.log file on the manager. In that alert
> entry it will indicate whether an email was generated or not. The header
> for the alert will look something like this: “** Alert 1453814129.49577:
> mail - local,syslog,”. “mail” being the keyword you’re looking for.
>
>
>
> If you see a mail was generated, you know you are dealing with an email
> delivery problem and not an OSSEC detection problem.
>
>
>
>
>
> *From:* [email protected] <javascript:> [mailto:
> [email protected] <javascript:>] *On Behalf Of *Greg Burns
> *Sent:* Tuesday, January 26, 2016 8:28 AM
> *To:* ossec-list <[email protected] <javascript:>>
> *Subject:* Re: [ossec-list] Log file not triggering alert
>
>
>
> Thanks for the response.
>
>
>
> I ran log test with the following output:
>
>
>
> ossec-testrule: Type one log per line.
>
>
>
> 2016-01-20T17:49:19 Error validating xml data against the
> schema on line 272
>
> Content of element "litleTxnId" is incomplete
>
>
>
> **Phase 1: Completed pre-decoding.
>
> full event: '2016-01-20T17:49:19 Error validating xml
> data against the schema on line 272'
>
> hostname: 'kali'
>
> program_name: '(null)'
>
> log: '2016-01-20T17:49:19 Error validating xml data
> against the schema on line 272'
>
>
>
> **Phase 2: Completed decoding.
>
> No decoder matched.
>
>
>
> **Phase 3: Completed filtering (rules).
>
> Rule id: '8888'
>
> Level: '12'
>
> Description: 'An error was found in an order'
>
> **Alert to be generated.
>
>
>
>
> On Friday, January 22, 2016 at 7:31:23 PM UTC-5, LostInThe Tubez wrote:
>
> Have you run your log entry through ossec-logtest on the server? This will
> tell you if an alert should be generated or not. It is always possible that
> another rule is matching first or perhaps your rule isn’t working as
> expected. There are a couple potential issues with your rule, but I would
> suggest checking ossec-logtest and reporting back before you get too far
> into the nitty gritty.
>
>
>
> You can use %Y, %m, and %d in your filenames to represent the year, month
> and day, respectively. The file has to exist before the agent starts,
> otherwise it won’t be monitored. IIRC, wildcards (asterisks) do not work
> with the Windows agent for some strange reason.
>
>
>
>
>
> *From:* [email protected] [mailto:[email protected]] *On
> Behalf Of *Greg Burns
> *Sent:* Friday, January 22, 2016 1:08 PM
> *To:* ossec-list <[email protected]>
> *Subject:* [ossec-list] Log file not triggering alert
>
>
>
> I wrote a rule in OSSEC to send an email alert anytime the following
> string appears in a log (its a flat log file with no extension):
>
>
>
> 2016-01-20T17:49:19 Error validating xml data against the
> schema on line 272 Content of element "litleTxnId" is incomplete
>
>
>
> the rule should be triggered anytime the word "error validating" appear.
> Below is the rule:
>
>
>
> <!-- Syslog errors. -->
>
> <group name="syslog,errors,">
>
> <rule id="8888" level="12">
>
> <match>error validating</match>
>
> <options>alert_by_email</options>
>
> <description>An error was found in an order</description>
>
> </rule>
>
>
>
>
>
> For testing purposes placed a log file in C:\logs and set the
> configuration file to look in that directory- its the fourth one down
>
>
>
> <ossec_config>
>
>
>
> <!-- One entry for each file/Event log to monitor. -->
>
> <localfile>
>
> <location>Application</location>
>
> <log_format>eventlog</log_format>
>
> </localfile>
>
>
>
> <localfile>
>
> <location>Security</location>
>
> <log_format>eventlog</log_format>
>
> </localfile>
>
>
>
> <localfile>
>
> <location>System</location>
>
> <log_format>eventlog</log_format>
>
> </localfile>
>
>
>
> <localfile>
>
> <location>C:\logs\BatchLog_LT_01192016203220</location>
>
> <log_format>syslog</log_format>
>
> </localfile>
>
>
>
> However it does not seem to be working. When I go in and restart the agent
> it appears to successfully analyze the logs except it does not trigger an
> alert. below is the ossec.log after restarting:
>
>
>
> 2016/01/22 15:04:28 ossec-agent: INFO: Started (pid: 7268).
>
>
>
> 2016/01/22 15:04:29 ossec-agent(4102): INFO: Connected to the server (
> 10.8.216.157:1514).
>
>
>
> 2016/01/22 15:04:29 ossec-agent: INFO: System is Vista or newer (Microsoft
> Windows 7 Business Edition Professional Service Pack 1 (Build 7601) - OSSEC
> HIDS v2.8.3).
>
>
>
> 2016/01/22 15:04:29 ossec-agent(1951): INFO: Analyzing event log:
> 'Application'.
>
>
>
> 2016/01/22 15:04:29 ossec-agent(1951): INFO: Analyzing event log:
> 'Security'.
>
>
>
> 2016/01/22 15:04:29 ossec-agent(1951): INFO: Analyzing event log: 'System'.
>
>
>
> 2016/01/22 15:04:30 ossec-agent(1950): INFO: Analyzing file:
> 'C:\logs\BatchLog_LT_01192016203220'.
>
>
>
> 2016/01/22 15:04:30 ossec-agent: INFO: Started (pid: 7268).
>
>
>
> Any idea's? Is my config on the agent not right? - Also what if I wanted
> to look in a specific folder and analyze all logs in that folder? such as
> <location>C:\logs\Batch*</location> - will this work to view all log files
> that begin with 'Batch"?
>
>
>
> Thanks!
>
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected] <javascript:>.
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
