Hi, you should create decoders and rules for that event. Check out the documentation: http://ossec-docs.readthedocs.io/en/latest/syntax/analysis.html
Also. you can use the binary /var/ossec/bin/ossec-logtest to test your own decoders/rules. On Monday, January 30, 2017 at 7:04:34 AM UTC-8, Eli Tunkel wrote: > > 2016-07-24 11:43:22,707 INFO [main-EventThread ] > [.m.async.facade.Bootstrap] Became Leader!!! |TAGS| > 2016-07-24 11:43:22,707 INFO [main-EventThread ] > [.m.async.facade.Bootstrap] ############################## Leader election: > *Server > is leader and starting* ############################## |TAGS| > > > > > > .I have added the custom path for this log to the ossec.conf .×´This is > sample log I want to capture, the phrase I want to make a rule for is > "*Server > is leader and start* > > Thanks friend, > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.