> > That's really weird. Make sure `/var/log/syslog` is configured in the > agent's ossec.conf. > I'm not sure if turning on debugging will help, but it might log what > is being sent to the server. Poke around in logcollector I guess. > You could also try turning on the syslog remoted options on in the > ossec server and point the syslog there. > > > Dan, thank you very much for your response. I did a work-around for the first issue by sending the remote logs to a different log-file.
I'm still struggling with my second problem. The rules seem not to work the same in ossec-testrule and the "real" ossec. If I test a message from the archive, I get the following results in ossec-testrule: ossec-testrule: Type one log per line. 2019-02-14T02:54:39.696151+00:00 PRIMUS-HSM-69 Config Process: DMU Event: 2019-02-14 02:54:12 RNG Status: GOOD (test duration: 4 msecs) **Phase 1: Completed pre-decoding. full event: '2019-02-14T02:54:39.696151+00:00 PRIMUS Config Process: DMU Event: 2019-02-14 02:54:12 RNG Status: GOOD (test duration: 4 msecs)' hostname: 'PRIMUS' program_name: '(null)' log: 'Config Process: DMU Event: 2019-02-14 02:54:12 RNG Status: GOOD (test duration: 4 msecs)' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '100200' Level: '5' Description: 'Message from PRIMUS not further specified' **Alert to be generated. So the message should arrive with Rule 100200. But it does not (I did add the alert_by_email option). The only messages that do arrive are messages with errors e.g. OSSEC HIDS Notification. 2019 Feb 12 14:26:30 Received From: (Kreuzdorn) 10.33.34.2->/var/log/auth.log Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): Feb 12 13:28:45 PRIMUS FSM Process: DSO error in slot S1 - PIN WRONG - ID: USER1 [01] --END OF NOTIFICATION My guess is that the hostname is decoded differently in ossec-testrule compared to the "real" server. Any hint on how to modify the rule, so that it matches the messages? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
