El 2 de junio de 2016 a las 22:45:01, Kevin Branch (ke...@branchnetconsulting.com) escribió:
--I am running an OSSEC 2.8.3 server and a Windows computer with OSSEC 2.8.3 agent.
The rule simply alerts on Chrome Remote Desktop events.It uses this custom decoder:<decoder name="chromoting"><prematch>: chromoting: \.*chromoting</prematch></decoder>The rule is:<rule id="100040" level="3"><decoded_as>chromoting</decoded_as><description>Chrome Remote Desktop event - generic</description></rule>My test event is:2016 Jun 02 21:58:38 (XYZ-O9020) 192.168.15.0->WinEvtLog 2016 Jun 02 17:58:36 WinEvtLog: Application: INFORMATION(1): chromoting: (no user): no domain: XYZ-O9020: Client connected: b...@blabla.com/chromoting754CDB67.When I feed this to ossec-logtest, the rule fires:**Phase 3: Completed filtering (rules).Rule id: '100040'Level: '3'Description: 'Chrome Remote Desktop event - generic'**Alert to be generated...but when I trigger the actual event on my OSSEC agent computer, the event only shows up on the OSSEC server in archives.log, never in alerts.log.I have restarted OSSEC server many times and varied lots of things but I can't get it to fire on the real log event, only in ossec-logtest.Please advise. I don't have any idea what kinds of rule writing errors can be glossed over by ossec-logtest while causing rule failures in production.Kevin
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.