On Mon, Nov 30, 2015 at 9:59 AM, Daniel Bray <dbray...@gmail.com> wrote: > On Friday, November 27, 2015 at 8:16:39 AM UTC-5, dan (ddpbsd) wrote: >> >> And strangely enough, this works just fine for me (ignored when fed >> through logger). >> >> Can you update to the latest OSSEC source from github and try that? > > > Updated to latest github update, and issue remains. Logtest shows Level 0, > alerts come to email as level 2. >
Last idea at the moment: Copy archives.log. Open the copy in a text editor. Find an entry you want to test against and delete everything else. Delete the archives.log header from your chosen entry. Run that through ossec-logtest: `cat copy-of-archives.log | /var/ossec/bin/ossec-logtest` See if it still gets reported as a 0. Maybe there's some odd spacing issue that isn't maintained when copy/pasting it. > > Side note: Kudos to the developers, the upgrade was VERY easy over top the > existing RPM install: > git clone https://github.com/ossec/ossec-hids.git > cd ossec-hids > ./install > - You already have OSSEC installed. Do you want to update it? (y/n): y > - Do you want to update the rules? (y/n): y > ....done! Nice and quick. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
