Hello. I've been asked to make ossec alert when an unknown log message is received. That is, one that doesn't match a decoder and/or a rule. As we receive the alerts, we will identify them and create decoders/rules as needed until we have identified everything. What we don't want is for something to be ignored or simply logged -- we want an alert.
I tried to create a decoder that matched .* but perhaps because I am such a novice, I did something wrong. Ideas/suggestions?
