Hello Tewodros, I believe you will find the /var/ossec/bin/ossec-logtest utility to be of great use.
Specially when you execute it with the -v modifier which allows you to see the step-by-step process of how the message is analyzed until it triggers its end-rule. Best Regards, Juan Carlos Tello On Saturday, January 19, 2019 at 11:20:11 PM UTC+1, Tewodros Ambasa wrote: > > Hello. I have been tuning a recent install of OSSEC. I know the rule ID > and description of the rule I want to suppress for a particular parameter. > However, I do not know if the parameter from the log message has been > decoded. For that I would need to know which decoder file to look for under > /var/ossec/etc/decoders/ so I can identify what name the parameter has been > decoded as. How would I achieve this? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
