Re: [ossec-list] Debugging a rule that fires when tested with ossec-logtest but never fires in production

[Jose Luis Ruiz]

Hi Kevin 

A silly question 

Regards

-----------------------

Jose Luis Ruiz
Wazuh Inc.
jo...@wazuh.com

El 2 de junio de 2016 a las 22:45:01, Kevin Branch (ke...@branchnetconsulting.com) escribió:

I am running an OSSEC 2.8.3 server and a Windows computer with OSSEC 2.8.3 agent.

The rule simply alerts on Chrome Remote Desktop events.

It uses this custom decoder:

<decoder name="chromoting">

    <prematch>: chromoting: \.*chromoting</prematch>

</decoder>

The rule is:

<rule id="100040" level="3">

  <decoded_as>chromoting</decoded_as>

  <description>Chrome Remote Desktop event - generic</description>

</rule>

My test event is:

2016 Jun 02 21:58:38 (XYZ-O9020) 192.168.15.0->WinEvtLog 2016 Jun 02 17:58:36 WinEvtLog: Application: INFORMATION(1): chromoting: (no user): no domain: XYZ-O9020: Client connected: b...@blabla.com/chromoting754CDB67.

When I feed this to ossec-logtest, the rule fires:

**Phase 3: Completed filtering (rules).

       Rule id: '100040'

       Level: '3'

       Description: 'Chrome Remote Desktop event - generic'

**Alert to be generated.

..but when I trigger the actual event on my OSSEC agent computer, the event only shows up on the OSSEC server in archives.log, never in alerts.log.

I have restarted OSSEC server many times and varied lots of things but I can't get it to fire on the real log event, only in ossec-logtest.

Please advise.  I don't have any idea what kinds of rule writing errors can be glossed over by ossec-logtest while causing rule failures in production.

Kevin

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.