On Mon, Sep 17, 2012 at 1:09 PM, Nick Davies <n...@badhedgehog.co.uk> wrote: >> >> archives.log message: >> 2012 Sep 17 00:00:01 ix->/var/log/messages Sep 17 00:00:01 ix syslogd: >> restart >> >> Header: >> 2012 Sep 17 00:00:01 ix->/var/log/messages >> >> Log message without header: >> Sep 17 00:00:01 ix syslogd: restart > > I have: > 2012 Sep 17 16:54:28 )agent_name) apent_id->powershell -File > C\/OSSEC-Test/OSSEC/ossec_read_new_xml_logs.ps1 [script parameters] > ossec: output: 'powershell -File > C\/OSSEC-Test/OSSEC/ossec_read_new_xml_logs.ps1 [script parameters]': > [script output] > > Which part of this would be the header? > > Regards, > > Nick
Having never seen your logs, my guess would be: "> 2012 Sep 17 16:54:28 )agent_name) apent_id->powershell -File > C\/OSSEC-Test/OSSEC/ossec_read_new_xml_logs.ps1 [script parameters]" But, since you do know what your logs are supposed to look like, maybe you should be telling me? It looks like you're using the command or full_command options, but you didn't mention it in the original email so that can't be right. Maybe you could fashion your rule to be similar to those types of rules though.
