Hello Dan, hmmm those are binaries and I can't get anything out of them ...
The thing is, while troubleshooting my other issue (Syscheck issue on Windows : alerts not generated for registry and executable checks : default OSSEC.conf) I have noticed the following behavior : While testing messages as they arrive to the system (using logall option) with ossec-logtest , even messages that have triggered an alert , it says that 'No decoder found' and further processing is not done .So I am guessing that processing and triggering the relative alerts through rules is done elsewhere or with other means . It is very strange how it works , and to me this is a blind spot . Thank you Dan. On Dec 12, 10:06 pm, "dan (ddp)" <[email protected]> wrote: > src/analysisd/decoders/{decode-xml.c,syscheck.c} > > > > > > > > On Mon, Dec 12, 2011 at 10:42 AM, alsdks <[email protected]> wrote: > > Hello list, > > > rules 550,551,552 specifying integrity checksum alerts call upon > > decoders that I haven't been able to locate in decoders.xml or > > anywhere else. > > > They have : > > <decoded_as>syscheck_integrity_changed</decoded_as> > > <decoded_as>syscheck_integrity_changed_2nd</decoded_as> > > <decoded_as>syscheck_integrity_changed_3rd</decoded_as> > > > Were are these decoders specified to see what are they searching for , > > how they decode the event message. > > > Thank you
