Thanks for helping me along. My mistake was I was shoving this into ossec-logtest, log record prefix data and all
2016 Jun 02 21:58:38 (XYZ-O9020) 192.168.15.0->WinEvtLog 2016 Jun 02 17:58:36 WinEvtLog: Application: INFORMATION(1): chromoting: (no user): no domain: XYZ-O9020: Client connected: [email protected]/chromoting754CDB67. when I should have been feeding it only the actual log record, like this: 2016 Jun 02 17:58:36 WinEvtLog: Application: INFORMATION(1): chromoting: (no user): no domain: XYZ-O9020: Client connected: [email protected]/chromoting754CDB67. There was no inconsistency with ossec-logtest vs production. It was just me feeding the wrong thing into ossec-logtest. Problem solved, Kevin On Friday, June 3, 2016 at 9:41:37 AM UTC-4, dan (ddpbsd) wrote: > > On Thu, Jun 2, 2016 at 10:42 PM, Kevin Branch > <[email protected] <javascript:>> wrote: > > I am running an OSSEC 2.8.3 server and a Windows computer with OSSEC > 2.8.3 > > agent. > > > > The rule simply alerts on Chrome Remote Desktop events. > > > > It uses this custom decoder: > > > > <decoder name="chromoting"> > > <prematch>: chromoting: \.*chromoting</prematch> > > I don't think regex is allowed in the prematch, the docs only mention > sregex: > > https://ossec.github.io/docs/syntax/head_decoders.html?highlight=prematch#element-decoder.prematch > > > > </decoder> > > > > The rule is: > > > > <rule id="100040" level="3"> > > <decoded_as>chromoting</decoded_as> > > <description>Chrome Remote Desktop event - generic</description> > > </rule> > > > > My test event is: > > > > 2016 Jun 02 21:58:38 (XYZ-O9020) 192.168.15.0->WinEvtLog 2016 Jun 02 > > 17:58:36 WinEvtLog: Application: INFORMATION(1): chromoting: (no user): > no > > domain: XYZ-O9020: Client connected: [email protected]/chromoting754CDB67. > > > > When I feed this to ossec-logtest, the rule fires: > > > > **Phase 3: Completed filtering (rules). > > Rule id: '100040' > > Level: '3' > > Description: 'Chrome Remote Desktop event - generic' > > **Alert to be generated. > > > > ..but when I trigger the actual event on my OSSEC agent computer, the > event > > only shows up on the OSSEC server in archives.log, never in alerts.log. > > > > I have restarted OSSEC server many times and varied lots of things but I > > can't get it to fire on the real log event, only in ossec-logtest. > > > > Please advise. I don't have any idea what kinds of rule writing errors > can > > be glossed over by ossec-logtest while causing rule failures in > production. > > > > Using the decoder and rule above, I get the following output from > ossec-logtest: > **Phase 1: Completed pre-decoding. > full event: '2016 Jun 02 17:58:36 WinEvtLog: Application: > INFORMATION(1): chromoting: (no user): no domain: XYZ-O9020: Client > connected: [email protected]/chromoting754CDB67.' > hostname: 'ipyr' > program_name: 'WinEvtLog' > log: 'Application: INFORMATION(1): chromoting: (no user): no > domain: XYZ-O9020: Client connected: > [email protected]/chromoting754CDB67.' > > **Phase 2: Completed decoding. > No decoder matched. > > > Changing the decoder to this: > <decoder name="chromoting"> > <prematch>: chromoting: </prematch> > <program_name>^WinEvtLog</program_name> > </decoder> > > it all starts to work. > > I run this to get the log into syslog (I don't have a way to test it > any other way that I can think of), so it may not be exactly correct: > # echo 'Application: INFORMATION(1): chromoting: (no user): no domain: > XYZ-O9020: Client connected: [email protected]/chromoting754CDB67.' | > logger -t WinEvtLog > > Here's the entry from alerts.log: > ** Alert 1464961149.36091: - local,syslog, > 2016 Jun 03 09:39:09 ipyr->/var/log/messages > Rule: 100040 (level 3) -> 'Chrome Remote Desktop event - generic' > Jun 3 09:39:07 ipyr WinEvtLog: Application: INFORMATION(1): > chromoting: (no user): no domain: XYZ-O9020: Client connected: > [email protected]/chromoting754CDB67. > > > I believe this is with a fairly stock 2.8.3, but I'm not positive. > > > > > Kevin > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
