Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

2017-04-06 Thread dan (ddp)
On Wed, Apr 5, 2017 at 4:45 PM, Rob Williams wrote: > I stopped them all (which appeared to work fine) and start again. Here is > the rule and decoder I made for this (I want to alert only once if the same > ID (filepath) has alerted in the past minute): > > > > 510

Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

2017-04-06 Thread Jesus Linares
Hi, check this out: https://groups.google.com/forum/#!topic/ossec-list/USAF6jF8yk8 Regards. On Wednesday, April 5, 2017 at 10:45:52 PM UTC+2, Rob Williams wrote: > > I stopped them all (which appeared to work fine) and start again. Here is > the rule and decoder I made for this (I want to

Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

2017-04-05 Thread Rob Williams
I stopped them all (which appeared to work fine) and start again. Here is the rule and decoder I made for this (I want to alert only once if the same ID (filepath) has alerted in the past minute): 510 This is meant to reduce noise as these events happen in batches with not

Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

2017-04-05 Thread dan (ddp)
On Wed, Apr 5, 2017 at 3:44 PM, Rob Williams wrote: > Yes I have, I've also tried to disable all the relevant changes I've made, > restart, and still have the same issue. > Try stopping the ossec processes, verify that ossec-analysisd has stopped (sometimes it doesn't

Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

2017-04-05 Thread Rob Williams
Yes I have, I've also tried to disable all the relevant changes I've made, restart, and still have the same issue. On Wednesday, April 5, 2017 at 12:39:42 PM UTC-7, dan (ddpbsd) wrote: > > On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams > wrote: > > Hi all, > > > > I'm

Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

2017-04-05 Thread dan (ddp)
On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams wrote: > Hi all, > > I'm running into an issue where rule 510 is triggering and I'm getting > spammed with alerts but I can't seem to tune it correctly. What's weird is > that I am still getting alerted for rule 510 for this

[ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

2017-04-05 Thread Rob Williams
Hi all, I'm running into an issue where rule 510 is triggering and I'm getting spammed with alerts but I can't seem to tune it correctly. What's weird is that I am still getting alerted for rule 510 for this log, but I can't figure out how to get that to show in logtest. Basically, I am