On Fri, Nov 13, 2015 at 10:44 AM, Daniel Bray <dbray...@gmail.com> wrote: > On Friday, November 13, 2015 at 10:33:04 AM UTC-5, Daniel Bray wrote: >>> >>> I'm waiting to see if it generates an alert. >> >> > > > Nope, issue remains. Very confusing. >
I think if you stat ossec-analysisd in debug mode it outputs the rule IDs it loads. Is 100005 in there? I've put the rule in /var/ossec/rules/local_rules.xml and changing the hostnames to match my systems. Then running `echo ' : HAEngine : WARNING : 2 : Replay protection check failed' | logger -t mip` gives me the log in question in /var/log/messages. And here are the results: ** Alert 1447429935.7071: - local,syslog, 2015 Nov 13 10:52:15 arrakis->/var/log/messages Rule: 100005 (level 4) -> 'Ignore MIP Alerts' Nov 13 10:52:14 arrakis mip: : HAEngine : WARNING : 2 : Replay protection check failed So it works (I changed the level so it shows up) with more than just ossec-logtest. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
