Hi Dan, I went ahead created both, a local_decoder and a corresponding rule in local_rules.xml. I then ran the "/var/ossec/bin/ossec-logtest " command against my log lines, and it passed the test. The output showed Decoder matched and "Alert to be generated" message as shown below. I then restarted the ossec-server after that. Now when i again plugin USB on my windows agent to test, i see the USB detection event make it to archives.log file on the server but it still didnt' create an alert. When i check the alerts.log file it does not have any log entry to my USB event. The ossec-test passed successfully. What am i missing ?
root@securityonion:/var/ossec/logs/alerts# /var/ossec/bin/ossec-logtest
2018/03/30 19:36:01 ossec-testrule: INFO: Reading local decoder file.
2018/03/30 19:36:01 ossec-testrule: INFO: Started (pid: 18771).
ossec-testrule: Type one log per line.
018 Mar 29 21:50:02 (ENGG-WORKSTATION) 172.16.3.10->rootcheck Windows Audit: USB Storage Inserted
**Phase 1: Completed pre-decoding.
full event: '018 Mar 29 21:50:02 (ENGG-WORKSTATION) 172.16.3.10->rootcheck Windows Audit: USB Storage Inserted'
hostname: 'securityonion'
program_name: '(null)'
log: '018 Mar 29 21:50:02 (ENGG-WORKSTATION) 172.16.3.10->rootcheck Windows Audit: USB Storage Inserted'
**Phase 2: Completed decoding.
decoder: 'ICS-lab-detect'
srcip: '172.16.3.10'
**Phase 3: Completed filtering (rules).
Rule id: '110001'
Level: '3'
Description: 'USB drive detected'
**Alert to be generated.
This is a snippet of my local_rules.xml:
<group name="syslog,ICS-lab-detect,">
<rule id="110000" level="0">
<decoded_as>ICS-lab-detect</decoded_as>
<description>ICS Lab custom anomaly detection</description>
</rule>
<rule id="110001" level="3">
<if_sid>110000</if_sid>
<match>USB</match>
<description>USB drive detected</description>
</rule>
<rule id="110002" level="3">
<if_sid>110000</if_sid>
<match>failure</match>
<description>FactoryTalk Administration Console login failure </description>
</rule>