ossec / alienvault - issues getting application logs to AlienVault
13 views
Skip to first unread message
Sam Wallace
Feb 5, 2018, 6:07:21 PM2/5/18
to ossec-list
Currently I'm getting my application logs to my archives.log file, but not my alerts.log file. When I run my event through ossec-logtest they make it through phase 2 with my custom decoder I built and then they also make it through phase 3 with the custom rule I built.
Where do I go from here? Even though it hits a rule, it doesn't get written to my alerts.log. Once I get it to alerts.log how do I go about writing a plugin to capture this event and put it into AlienVault proper.
Thank you!
Grant Leonard
Feb 6, 2018, 8:24:42 AM2/6/18
to ossec-list
You need to make sure the numbers you picked for your new rules exist in a DS group and you have the correct translation statements in your .cfg.local file for the plugin.
Also, to ensure you get a hit with the rule, your level has to be > 0 to be written to alerts.log
You are closing in sir! Note that this is for OSSEC and not Alienvault. I happen to run both and know what you are doing, though this group might not be the best place for Alienvault related questions of OSSEC
All the best
Grant
Also, to ensure you get a hit with the rule, your level has to be > 0 to be written to alerts.log
You are closing in sir! Note that this is for OSSEC and not Alienvault. I happen to run both and know what you are doing, though this group might not be the best place for Alienvault related questions of OSSEC
All the best
Grant
Reply all
Reply to author
Forward
0 new messages