Hi all, am hoping someone can give me an example of one "known good" simple custom rule and decoder for any kind of common Windows event.
I have been trying/failing to figure out how to get any kind of custom rule to work for Windows clients running the ossec windows agent. I have an Ubuntu server dedicated to running OSSEC server side, and a number of Windows clients. Happy to provide configs but was hoping to get simple "known good" examples of a custom rule and decoder aimed at a common windows event to test with, and if those don't work, follow up with configs, logs etc.
Things are working to some degree, in that I get log in/log off alerts from the windows clients that show up in my ossec server's archive.log, its alerts.log, and then my email (e.g., "Rule: 18107 fired (level 3) -> "Windows Logon Success
basket random"). But any attempt at a customer rule? Nada. And other rules xml files that come with ossec don't seem to fire whether they be linux oriented rules or windows oriented (or both). I haven't been able to tell what might be appreciably different with the msauth rules vs. other ones...
Thx!
Hope someone can explain in more detail. I'm attempting to get a custom rule and decoder to function, but I'm not getting far with it. To make matters worse, I've tried a lot of different things.