On Fri, Jul 13, 2012 at 12:17 PM, Nick Davies <nick.badhedgehog.dav...@gmail.com> wrote: > Good afternoon, > > there's every chance I'm missing something obvious, if so a mild beating > with the cluebat woul be welcomed. > > I'm trying to get an alert raised from the output of a script (a simple test > Windows batch file in this case). The batch file is: > > echo off > echo date_test: > date /t > > I have a decoder to look for the output (or at least part of it), this > being: > > <decoder name="date_test>
You need to close the quotes above. > <prematch>date_test</prematch> > </decoder> > > defined in the local_decoder.xml. Finally I have a rule, this being: > > <!-- Fires whenever there's some output from the test log monitoring > script --> > <rule id="110004" level="1"> > <decoded_as>date_test</decoded_as> > <description>The foo date test log monitoring test script has > run</description> > <options>alert_by_email</options> > </rule> > > defined in local_rules.xml. I've tested it with logtest, the output of this > being: > > root@nick-VirtualBox:/var/ossec# ./bin/ossec-logtest > 2012/07/13 15:45:25 ossec-testrule: INFO: Reading local decoder file. > 2012/07/13 15:45:25 ossec-testrule: INFO: Started (pid: 2531). > ossec-testrule: Type one log per line. > > date_test > > > **Phase 1: Completed pre-decoding. > full event: 'date_test' > hostname: 'nick-VirtualBox' > program_name: '(null)' > log: 'date_test' > > **Phase 2: Completed decoding. > decoder: 'date_test' > > **Phase 3: Completed filtering (rules). > Rule id: '110000' > Level: '1' > Description: 'The date test log monitoring test script has run' > **Alert to be generated. > > I have logall enabled and I'm seeing the output of the script in the > archive.log but I never see an alert in alert.log. > > Any (and all) help appreciated. > > Regards, > > Nick > > Please give us the output from the archive.log.
