I am running an OSSEC 2.8.3 server and a Windows computer with OSSEC 2.8.3
agent.
The rule simply alerts on Chrome Remote Desktop events.
It uses this custom decoder:
<decoder name="chromoting">
<prematch>: chromoting: \.*chromoting</prematch>
</decoder>
The rule is:
<rule id="100040" level="3">
<decoded_as>chromoting</decoded_as>
<description>Chrome Remote Desktop event - generic</description>
</rule>
My test event is:
2016 Jun 02 21:58:38 (XYZ-O9020) 192.168.15.0->WinEvtLog 2016 Jun 02
17:58:36 WinEvtLog: Application: INFORMATION(1): chromoting: (no user): no
domain: XYZ-O9020: Client connected: [email protected]/chromoting754CDB67.
When I feed this to ossec-logtest, the rule fires:
**Phase 3: Completed filtering (rules).
Rule id: '100040'
Level: '3'
Description: 'Chrome Remote Desktop event - generic'
**Alert to be generated.
..but when I trigger the actual event on my OSSEC agent computer, the event
only shows up on the OSSEC server in archives.log, never in alerts.log.
I have restarted OSSEC server many times and varied lots of things but I
can't get it to fire on the real log event, only in ossec-logtest.
Please advise. I don't have any idea what kinds of rule writing errors can
be glossed over by ossec-logtest while causing rule failures in production.
Kevin
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
