I wrote a rule in OSSEC to send an email alert anytime the following string
appears in a log (its a flat log file with no extension):
2016-01-20T17:49:19 Error validating xml data against the schema on line
272 Content of element "litleTxnId" is incomplete
the rule should be triggered anytime the word "error validating" appear.
Below is the rule:
<!-- Syslog errors. -->
<group name="syslog,errors,">
<rule id="8888" level="12">
<match>error validating</match>
<options>alert_by_email</options>
<description>An error was found in an order</description>
</rule>
For testing purposes placed a log file in C:\logs and set the configuration
file to look in that directory- its the fourth one down
<ossec_config>
<!-- One entry for each file/Event log to monitor. -->
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>C:\logs\BatchLog_LT_01192016203220</location>
<log_format>syslog</log_format>
</localfile>
However it does not seem to be working. When I go in and restart the agent
it appears to successfully analyze the logs except it does not trigger an
alert. below is the ossec.log after restarting:
2016/01/22 15:04:28 ossec-agent: INFO: Started (pid: 7268).
2016/01/22 15:04:29 ossec-agent(4102): INFO: Connected to the server
(10.8.216.157:1514).
2016/01/22 15:04:29 ossec-agent: INFO: System is Vista or newer (Microsoft
Windows 7 Business Edition Professional Service Pack 1 (Build 7601) - OSSEC
HIDS v2.8.3).
2016/01/22 15:04:29 ossec-agent(1951): INFO: Analyzing event log:
'Application'.
2016/01/22 15:04:29 ossec-agent(1951): INFO: Analyzing event log:
'Security'.
2016/01/22 15:04:29 ossec-agent(1951): INFO: Analyzing event log: 'System'.
2016/01/22 15:04:30 ossec-agent(1950): INFO: Analyzing file:
'C:\logs\BatchLog_LT_01192016203220'.
2016/01/22 15:04:30 ossec-agent: INFO: Started (pid: 7268).
Any idea's? Is my config on the agent not right? - Also what if I wanted to
look in a specific folder and analyze all logs in that folder? such as
<location>C:\logs\Batch*</location> - will this work to view all log files
that begin with 'Batch"?
Thanks!
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
