我正在使用OSSEC来尝试和监视诸如Windows Event Log等服务器上的服务。
我想知道一个服务已经停止或开始,并相应地通过电子邮件发送。
我试过一个规则,事件ID 6006(事件日志服务已停止)的警报。
<rule id="100011" level="10"> <match>INFORMATION(6006)</match> <options>alert_by_email</options> <description>The Event log service was stopped.</description> </rule>
但是这并没有引发事件。 所以我试着在ossec-logtest中testing一个日志。
我不得不补充日志条目,因为我无法得到ossec-analysisd将从Windows's Event View处理的日志。
我试着在ossec-logtest中login,似乎是正确的。
input日志:
2014 Sep 18 10:10:54 WinEvtLog: System: INFORMATION(6006): Microsoft-Windows-Eventlog: username: WIN-4HSALJIGG2H: WIN-4HSALJIGG2H: The Event log service was stopped.
Ossec-logtest输出:
**Phase 1: Completed pre-decoding. full event: '2014 Sep 18 10:10:54 WinEvtLog: System: INFORMATION(6006): Microsoft-Windows-Eventlog: username: WIN-4HSALJIGG2H: WIN-4HSALJIGG2H: The Event log service was stopped.' hostname: 'CentOS1' program_name: '(null)' log: '2014 Sep 18 10:10:54 WinEvtLog: System: INFORMATION(6006): Microsoft-Windows-Eventlog: username: WIN-4HSALJIGG2H: WIN-4HSALJIGG2H: The Event log service was stopped.' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '100011' Level: '10' Description: 'The Event log service was stopped.' **Alert to be generated.
这导致我认为代理没有将日志事件6006发送到OSSEC服务器。 我正在使用代理的默认configuration,有什么我失踪,以获得事件ID 6006发射?