Hi all - have been beating my head against the wall for some time now trying to get any sort of custom rules/decoders/alerts to work (have an ubuntu server, windows 10 and server 2019 clients, all updated & patched). Not finding the testing tool nor the logs helpful (the ossec log not throwing errors other than a duplicate agent key which I don't think is the problem), though suspect this is some sort of user knowledge problem (mine) that "everyone else knows"....
One oddity, while my ossec.conf on the server points to the canned rule sets (most of which I think are aimed a linux) in /var/ossec/rules, only rule 18107 in msauth_rules.xml is generating alerts that show up in my email (I've got the email alert part of ossec.conf set to 1, figuring I'd tighten that up later). Various alerts are showing up in archives.log and alerts.log, and e.g., alert settings in ms-se_rules.xml don't seem to work though the level is set to 7, 12 etc on many of the rules, including when I do an Eicar test on a windows client that shows up in the windows event log. When I try to add in a <decoded_as> statement, ossec starts and runs fine (I think) but the testing tool using archive.log entries return "no decoder found".
Have tried putting a <local file> statement on the windows client pointing to the defender operational log that seems not to upset the ossec agent/service/agent log but doesn't seem to matter in terms of things showing up in the archives.log on the server.
Hoping for some tips on where to start to troubleshoot this all more effectively than I'm doing now (happy to provide logs and configs, more specificity on os versions etc).
Help? Thx:)