On Mon, Sep 17, 2012 at 1:22 PM, Nick Davies <n...@badhedgehog.co.uk> wrote: >> Having never seen your logs, my guess would be: "> 2012 Sep 17 >> 16:54:28 )agent_name) apent_id->powershell -File >>> C\/OSSEC-Test/OSSEC/ossec_read_new_xml_logs.ps1 [script parameters]" >> >> But, since you do know what your logs are supposed to look like, maybe >> you should be telling me? >> > > Fair point. > >> It looks like you're using the command or full_command options, but >> you didn't mention it in the original email so that can't be right. >> Maybe you could fashion your rule to be similar to those types of >> rules though. > > I'm using the command local file type. Can you sppply a pointer to > which rules use that file type please? > > Regards, > > Nick
530 is one example. It should provide enough information on how to alert on your log messages.
