OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
Expected : OK
Restart ossec on server and agent
set error on agent
logger -t "kernel" "device veth39f40958 entered promiscuous mode"
and check in server/ossec.log
Problem with hostname filter in personalized rules My set is server/agent
My rule
Test with ossec-logtest for "Apr 2 18:03:29 k8smaster kernel: device veth39f40958 entered promiscuous mode" :
result expected is OK
Restart ossec on server and agent set error on agent
logger -t "kernel" "device veth39f40958 entered promiscuous mode"
and check in server/ossec.logRule is fired with level8 as expected with the original rule (5104) but rule 100020 has not been applied !!!! Reality : KO
Now Test with rule :
I ve just removed the hostname attribut
Test with logtest :
Expected : OK Restart ossec on server and agent set error on agent
logger -t "kernel" "device veth39f40958 entered promiscuous mode"
and check in server/ossec.logResult expected is OK
So there is a filter problem, I would like to filter on "hostname".
Thank you so much for your job.