Yup, that's actually what I did to make it work. I was hoping I was just overlooking something to make a single rule using an 'AND' type statement.
On Thursday, January 25, 2018 at 7:27:06 AM UTC-5, dan (ddpbsd) wrote: > > On Tue, Jan 23, 2018 at 3:16 PM, Bruce Westbrook <bwest...@gmail.com > <javascript:>> wrote: > > Running OSSEC v2.8.3 > > > > Can we create a custom rule that performs multiple <match> as an 'AND' ? > I > > need to match multiple, non-contiguous patterns from the log portion. > > > > For instance, a Windows event log comes in with the following log data: > > > > 2018 Jan 22 23:59:54 WinEvtLog: Security: AUDIT_FAILURE(4776): > > Microsoft-Windows-Security-Auditing: (no user): no domain: > dc.domain.local: > > The domain controller attempted to validate the credentials for an > account. > > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon > Account: > > USER-A Source Workstation: WORKSTATION-A Error Code: 0xc0000064 > > > > Taking this example, I need to match BOTH "USER-A" and the source > > workstation "WORKSTATION-A" for a custom rule. However, if "USER-A" is > on a > > different source workstation, I don't want the rule to fire, so I need > to > > match both items specifically. > > > > As far as I can tell the <match> only has an 'OR' using the pipe '|'. > > > > How would I do multiple matches in the log content like this? > > > > Can you setup a parent and child rule for this? > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.