On Mon, Sep 17, 2012 at 12:38 PM, Nick Davies <n...@badhedgehog.co.uk> wrote: > Good afternoon, > > I'm after a bit of advice on custom rule debugging as I've got as far > as I can along the path and think I should be seeing an alert but I'm > not. > > I have a log file whose content is being collected via a powershell > script. The log file uses xml to delimit entries and I need to get > one event per xml delimited block. This is working fine and I'm > getting one entry in the archive.log for each of the events in the > source log. I've then taken a single event from the archive log and > placed in in a file called test.nd. I had a problem (the entry was > being intercepted by rule 1003) which was solved by making my custom > rule a child of 1003. When I run: > > cat test.nd | ossec-logtest > > It's reporting that the event was decoded by my custom decoder and > triggered my custom rule. However, when I restart ossec with the rule > in place and see the events arriving in the archive.log I'm not seeing > the corresponding entry in the alert.log. > > What am I missing please? > > Regards, > > Nick
Did you remove the header from the entry in archives.log?
