Has "Error" in the log and it didn't match anything else? -- Kevin Kelly Director, Network Technology Whitman College
----- Original Message ----- From: "Rick McClinton" <rickm...@gmail.com> To: ossec-list@googlegroups.com Sent: Friday, October 17, 2014 8:21:57 AM Subject: [ossec-list] why is 1002 firing on this event I can't figure out why this log line triggers rule 1002. Can anyone see it? background - I recently updated server to 2.8.1. Today I added this web server's iis log file to its agent's <localfiles> and now that it is sending the entries to the server,I am getting this alert from rule 1002. Have not overridden stock 1002 or $BAD_WORDS definition from syslog_rules.xml. Here is ossec-logtest output: (some manual redaction performed) **Phase 1: Completed pre-decoding. full event: '2014-10-17 15:06:09 192.168.2X.228 GET /personifyebusiness/XXXX/PersonifyScriptResource.axd s=Personify.WebControls.Base-*-k*-_Personify.WebControls.Base.JS.*-_krequireJQuery.js_-_kjquery.gritter.min.js_-_kjson2.js_-_kjquery.ba-bbq.min.js_-_kmanager.js_-_kImageLoadErrorHandler.js-*-Personify.WebControls.ShoppingCart-*-k*-_Personify.WebControls.ShoppingCart.JS.*-_kShoppingCartItemEvents.js_-_kUmbrellaProductEditorEvents.js_-_kRegistrantBadgeEdit.js&t=text/javascript&v=635470873431210000 443 mxxxx...@cxxxxxxx.net 172.X.0.X Mozilla/5.0+(Windows+NT+6.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/37.0.2062.124+Safari/537.36 200 0 0 15' hostname: 'tmars1' program_name: '(null)' log: '2014-10-17 15:06:09 192.168.2X.228 GET /personifyebusiness/XXXX/PersonifyScriptResource.axd s=Personify.WebControls.Base-*-k*-_Personify.WebControls.Base.JS.*-_krequireJQuery.js_-_kjquery.gritter.min.js_-_kjson2.js_-_kjquery.ba-bbq.min.js_-_kmanager.js_-_kImageLoadErrorHandler.js-*-Personify.WebControls.ShoppingCart-*-k*-_Personify.WebControls.ShoppingCart.JS.*-_kShoppingCartItemEvents.js_-_kUmbrellaProductEditorEvents.js_-_kRegistrantBadgeEdit.js&t=text/javascript&v=635470873431210000 443 mxxxxx...@cxxxxxxx.net 172.X.0.X Mozilla/5.0+(Windows+NT+6.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/37.0.2062.124+Safari/537.36 200 0 0 15' **Phase 2: Completed decoding. decoder: 'windows-date-format' **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '2' Description: 'Unknown problem somewhere in the system.' **Alert to be generated. thanks, Rick McClinton -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com . For more options, visit https://groups.google.com/d/optout . -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.