Thanks for the response. I ran log test with the following output:
ossec-testrule: Type one log per line. 2016-01-20T17:49:19 Error validating xml data against the schema on line 272 Content of element "litleTxnId" is incomplete **Phase 1: Completed pre-decoding. full event: '2016-01-20T17:49:19 Error validating xml data against the schema on line 272' hostname: 'kali' program_name: '(null)' log: '2016-01-20T17:49:19 Error validating xml data against the schema on line 272' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '8888' Level: '12' Description: 'An error was found in an order' **Alert to be generated. On Friday, January 22, 2016 at 7:31:23 PM UTC-5, LostInThe Tubez wrote: > > Have you run your log entry through ossec-logtest on the server? This will > tell you if an alert should be generated or not. It is always possible that > another rule is matching first or perhaps your rule isn’t working as > expected. There are a couple potential issues with your rule, but I would > suggest checking ossec-logtest and reporting back before you get too far > into the nitty gritty. > > > > You can use %Y, %m, and %d in your filenames to represent the year, month > and day, respectively. The file has to exist before the agent starts, > otherwise it won’t be monitored. IIRC, wildcards (asterisks) do not work > with the Windows agent for some strange reason. > > > > > > *From:* ossec...@googlegroups.com <javascript:> [mailto: > ossec...@googlegroups.com <javascript:>] *On Behalf Of *Greg Burns > *Sent:* Friday, January 22, 2016 1:08 PM > *To:* ossec-list <ossec...@googlegroups.com <javascript:>> > *Subject:* [ossec-list] Log file not triggering alert > > > > I wrote a rule in OSSEC to send an email alert anytime the following > string appears in a log (its a flat log file with no extension): > > > > 2016-01-20T17:49:19 Error validating xml data against the > schema on line 272 Content of element "litleTxnId" is incomplete > > > > the rule should be triggered anytime the word "error validating" appear. > Below is the rule: > > > > <!-- Syslog errors. --> > > <group name="syslog,errors,"> > > <rule id="8888" level="12"> > > <match>error validating</match> > > <options>alert_by_email</options> > > <description>An error was found in an order</description> > > </rule> > > > > > > For testing purposes placed a log file in C:\logs and set the > configuration file to look in that directory- its the fourth one down > > > > <ossec_config> > > > > <!-- One entry for each file/Event log to monitor. --> > > <localfile> > > <location>Application</location> > > <log_format>eventlog</log_format> > > </localfile> > > > > <localfile> > > <location>Security</location> > > <log_format>eventlog</log_format> > > </localfile> > > > > <localfile> > > <location>System</location> > > <log_format>eventlog</log_format> > > </localfile> > > > > <localfile> > > <location>C:\logs\BatchLog_LT_01192016203220</location> > > <log_format>syslog</log_format> > > </localfile> > > > > However it does not seem to be working. When I go in and restart the agent > it appears to successfully analyze the logs except it does not trigger an > alert. below is the ossec.log after restarting: > > > > 2016/01/22 15:04:28 ossec-agent: INFO: Started (pid: 7268). > > > > 2016/01/22 15:04:29 ossec-agent(4102): INFO: Connected to the server ( > 10.8.216.157:1514). > > > > 2016/01/22 15:04:29 ossec-agent: INFO: System is Vista or newer (Microsoft > Windows 7 Business Edition Professional Service Pack 1 (Build 7601) - OSSEC > HIDS v2.8.3). > > > > 2016/01/22 15:04:29 ossec-agent(1951): INFO: Analyzing event log: > 'Application'. > > > > 2016/01/22 15:04:29 ossec-agent(1951): INFO: Analyzing event log: > 'Security'. > > > > 2016/01/22 15:04:29 ossec-agent(1951): INFO: Analyzing event log: 'System'. > > > > 2016/01/22 15:04:30 ossec-agent(1950): INFO: Analyzing file: > 'C:\logs\BatchLog_LT_01192016203220'. > > > > 2016/01/22 15:04:30 ossec-agent: INFO: Started (pid: 7268). > > > > Any idea's? Is my config on the agent not right? - Also what if I wanted > to look in a specific folder and analyze all logs in that folder? such as > <location>C:\logs\Batch*</location> - will this work to view all log files > that begin with 'Batch"? > > > > Thanks! > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com <javascript:>. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.