Hi Kevin A silly question
Regards ----------------------- Jose Luis Ruiz Wazuh Inc. [email protected] El 2 de junio de 2016 a las 22:45:01, Kevin Branch ( [email protected]) escribió: I am running an OSSEC 2.8.3 server and a Windows computer with OSSEC 2.8.3 agent. The rule simply alerts on Chrome Remote Desktop events. It uses this custom decoder: <decoder name="chromoting"> <prematch>: chromoting: \.*chromoting</prematch> </decoder> The rule is: <rule id="100040" level="3"> <decoded_as>chromoting</decoded_as> <description>Chrome Remote Desktop event - generic</description> </rule> My test event is: 2016 Jun 02 21:58:38 (XYZ-O9020) 192.168.15.0->WinEvtLog 2016 Jun 02 17:58:36 WinEvtLog: Application: INFORMATION(1): chromoting: (no user): no domain: XYZ-O9020: Client connected: [email protected]/chromoting754CDB67. When I feed this to ossec-logtest, the rule fires: **Phase 3: Completed filtering (rules). Rule id: '100040' Level: '3' Description: 'Chrome Remote Desktop event - generic' **Alert to be generated. ..but when I trigger the actual event on my OSSEC agent computer, the event only shows up on the OSSEC server in archives.log, never in alerts.log. I have restarted OSSEC server many times and varied lots of things but I can't get it to fire on the real log event, only in ossec-logtest. Please advise. I don't have any idea what kinds of rule writing errors can be glossed over by ossec-logtest while causing rule failures in production. Kevin -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
