I think one of the problems is that this use case was never considered. Going back to check old logs might be a good idea, but deleting the current alerts to do it seems bad. The "-a" flag for ossec-logtest might be useful. It should output the results in the same format ossec-analysisd does.
For example: # cat /var/log/messages | /var/ossec/bin/ossec-logtest -a 2>&1 | less 2016/06/03 09:44:32 ossec-testrule: INFO: Reading local decoder file. 2016/06/03 09:44:33 ossec-testrule: INFO: Started (pid: 57522). ** Alert 1464961473.1: - syslog,errors, 2016 Jun 03 09:44:33 ipyr->stdin Rule: 1005 (level 5) -> 'Syslogd restarted.' Jun 3 06:00:01 ipyr syslogd: restart ** Alert 1464961473.2: mail - syslog,errors, 2016 Jun 03 09:44:33 ipyr->stdin Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' Jun 3 06:08:54 ipyr ntpd[44444]: tls connect failed: 2607:f8b0:4004:80b::2004 (www.google.com): connect: No route to host ** Alert 1464961473.3: mail - syslog,errors, 2016 Jun 03 09:44:33 ipyr->stdin Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' Jun 3 06:23:55 ipyr ntpd[88218]: tls connect failed: 2607:f8b0:4004:80b::2004 (www.google.com): connect: No route to host ** Alert 1464961473.4: mail - syslog,errors, 2016 Jun 03 09:44:33 ipyr->stdin Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' Jun 3 06:38:56 ipyr ntpd[9184]: tls connect failed: 2607:f8b0:4004:80b::2004 (www.google.com): connect: No route to host (and on and on, I really need to filter that) On Thu, Jun 2, 2016 at 4:29 PM, Pedro Sanchez <[email protected]> wrote: > Like Dan said, it won't rescan old logs. > > If you are looking a way to rescan every past event.. that will be difficult > and even if you can do it, the alerts timestamp will be wrong. > > I am sorry but I am not sure of understanding what you mean by "restart the > predecoding, decoding of everything". > > Please don't hesitate to keep asking, I'll be happy to help. > > > > On Thu, Jun 2, 2016 at 3:59 PM, dan (ddp) <[email protected]> wrote: >> >> On Thu, Jun 2, 2016 at 9:19 AM, Tahir Hafiz <[email protected]> wrote: >> > Thanks Pedro, >> > >> > So if I "rm /var/ossec/logs/alerts/alerts.log" >> > And then "service ossec restart", that should be enough to restart the >> > predecoding, decoding of everything and test out my local_rules.xml to >> > see >> > if certain alerts no longer appear in the alerts.log? >> > >> >> I don't think it will rescan old logs. >> >> > I will have a play with ossec-logtest too. >> > >> > Cheers >> > >> > >> > On Thursday, 2 June 2016 12:31:59 UTC+1, Pedro S wrote: >> >> >> >> Hi Tahir, >> >> >> >> I don't think OSSEC has a tool for do that, the option you have is >> >> remove >> >> previous/old alerts files, remove alerts.log file and restart OSSEC, >> >> another >> >> possibility is to create a intermediate script to search for all the >> >> occurrences of the alerts and remove them from every past alerts file. >> >> >> >> If you need to test the rules you created, you can do that using >> >> /var/ossec/bin/ossec-logtest, paste the event you want to test to >> >> inspect, >> >> you won't need to restart OSSEC because ossec-logtest loads the rules >> >> every >> >> time you run it, but once you check that the rule is working you will >> >> need >> >> to restart OSSEC to apply changes. >> >> >> >> >> >> On Thursday, June 2, 2016 at 12:48:14 PM UTC+2, Tahir Hafiz wrote: >> >>> >> >>> Dear All, >> >>> >> >>> If I make changes to my local_rules.xml and add some rules in there to >> >>> effectively whitelist some false postives which happen as an >> >>> environment >> >>> starts building (i.e make them associate to level 0). >> >>> And then I want to test my new local_rules.xml without having to >> >>> destroy >> >>> and start a new environment again - is there a way to wipe clean the >> >>> alerts >> >>> file and get OSSEC to do it's precoding, decoding stuff from all the >> >>> received log entries from the OSSEC agents from fresh? >> >>> So effectively have a fresh alerts file which implements my new >> >>> changes >> >>> in the local_rules.xml file. >> >>> >> >>> Cheers >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
