Thanks for the response.
I ran log test with the following output:
ossec-testrule: Type one log per line.
2016-01-20T17:49:19 Error validating xml data against the schema on line 272
Content of element "litleTxnId" is incomplete
**Phase 1: Completed pre-decoding.
full event: '2016-01-20T17:49:19 Error validating xml data against
the schema on line 272'
hostname: 'kali'
program_name: '(null)'
log: '2016-01-20T17:49:19 Error validating xml data against the
schema on line 272'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '8888'
Level: '12'
Description: 'An error was found in an order'
**Alert to be generated.
On Friday, January 22, 2016 at 7:31:23 PM UTC-5, LostInThe Tubez wrote:
>
> Have you run your log entry through ossec-logtest on the server? This will
> tell you if an alert should be generated or not. It is always possible that
> another rule is matching first or perhaps your rule isn’t working as
> expected. There are a couple potential issues with your rule, but I would
> suggest checking ossec-logtest and reporting back before you get too far
> into the nitty gritty.
>
>
>
> You can use %Y, %m, and %d in your filenames to represent the year, month
> and day, respectively. The file has to exist before the agent starts,
> otherwise it won’t be monitored. IIRC, wildcards (asterisks) do not work
> with the Windows agent for some strange reason.
>
>
>
>
>
> *From:* ossec...@googlegroups.com <javascript:> [mailto:
> ossec...@googlegroups.com <javascript:>] *On Behalf Of *Greg Burns
> *Sent:* Friday, January 22, 2016 1:08 PM
> *To:* ossec-list <ossec...@googlegroups.com <javascript:>>
> *Subject:* [ossec-list] Log file not triggering alert
>
>
>
> I wrote a rule in OSSEC to send an email alert anytime the following
> string appears in a log (its a flat log file with no extension):
>
>
>
> 2016-01-20T17:49:19 Error validating xml data against the
> schema on line 272 Content of element "litleTxnId" is incomplete
>
>
>
> the rule should be triggered anytime the word "error validating" appear.
> Below is the rule:
>
>
>
> <!-- Syslog errors. -->
>
> <group name="syslog,errors,">
>
> <rule id="8888" level="12">
>
> <match>error validating</match>
>
> <options>alert_by_email</options>
>
> <description>An error was found in an order</description>
>
> </rule>
>
>
>
>
>
> For testing purposes placed a log file in C:\logs and set the
> configuration file to look in that directory- its the fourth one down
>
>
>
> <ossec_config>
>
>
>
> <!-- One entry for each file/Event log to monitor. -->
>
> <localfile>
>
> <location>Application</location>
>
> <log_format>eventlog</log_format>
>
> </localfile>
>
>
>
> <localfile>
>
> <location>Security</location>
>
> <log_format>eventlog</log_format>
>
> </localfile>
>
>
>
> <localfile>
>
> <location>System</location>
>
> <log_format>eventlog</log_format>
>
> </localfile>
>
>
>
> <localfile>
>
> <location>C:\logs\BatchLog_LT_01192016203220</location>
>
> <log_format>syslog</log_format>
>
> </localfile>
>
>
>
> However it does not seem to be working. When I go in and restart the agent
> it appears to successfully analyze the logs except it does not trigger an
> alert. below is the ossec.log after restarting:
>
>
>
> 2016/01/22 15:04:28 ossec-agent: INFO: Started (pid: 7268).
>
>
>
> 2016/01/22 15:04:29 ossec-agent(4102): INFO: Connected to the server (
> 10.8.216.157:1514).
>
>
>
> 2016/01/22 15:04:29 ossec-agent: INFO: System is Vista or newer (Microsoft
> Windows 7 Business Edition Professional Service Pack 1 (Build 7601) - OSSEC
> HIDS v2.8.3).
>
>
>
> 2016/01/22 15:04:29 ossec-agent(1951): INFO: Analyzing event log:
> 'Application'.
>
>
>
> 2016/01/22 15:04:29 ossec-agent(1951): INFO: Analyzing event log:
> 'Security'.
>
>
>
> 2016/01/22 15:04:29 ossec-agent(1951): INFO: Analyzing event log: 'System'.
>
>
>
> 2016/01/22 15:04:30 ossec-agent(1950): INFO: Analyzing file:
> 'C:\logs\BatchLog_LT_01192016203220'.
>
>
>
> 2016/01/22 15:04:30 ossec-agent: INFO: Started (pid: 7268).
>
>
>
> Any idea's? Is my config on the agent not right? - Also what if I wanted
> to look in a specific folder and analyze all logs in that folder? such as
> <location>C:\logs\Batch*</location> - will this work to view all log files
> that begin with 'Batch"?
>
>
>
> Thanks!
>
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com <javascript:>.
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
