On Sun, Jan 20, 2019 at 3:49 AM Tewodros Ambasa <[email protected]> wrote: > > Hello Juan. I tried using /var/ossec/bin/ossec-logtest but it only accepts a > single line for the log. I have a multi-line log. How could I input a > multi-line log into ossec-logtest? >
I think the multi-line logcollector option squishes everything into one line, so you could try doing that with ossec-logtest. > On Sunday, January 20, 2019 at 4:10:48 AM UTC+2, [email protected] wrote: >> >> Hello Tewodros, >> >> I believe you will find the /var/ossec/bin/ossec-logtest utility to be of >> great use. >> >> Specially when you execute it with the -v modifier which allows you to see >> the step-by-step process of how the message is analyzed until it triggers >> its end-rule. >> >> Best Regards, >> Juan Carlos Tello >> >> >> On Saturday, January 19, 2019 at 11:20:11 PM UTC+1, Tewodros Ambasa wrote: >>> >>> Hello. I have been tuning a recent install of OSSEC. I know the rule ID and >>> description of the rule I want to suppress for a particular parameter. >>> However, I do not know if the parameter from the log message has been >>> decoded. For that I would need to know which decoder file to look for under >>> /var/ossec/etc/decoders/ so I can identify what name the parameter has been >>> decoded as. How would I achieve this? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
