我正在OSSEC
尝试和监控诸如服务器上的服务Windows Event Log
。
我想要知道某项服务是否已停止或启动,并收到相应的电子邮件。
我已经尝试了一条针对事件 ID 6006(事件日志服务已停止)发出警报的规则。
<rule id="100011" level="10">
<match>INFORMATION(6006)</match>
<options>alert_by_email</options>
<description>The Event log service was stopped.</description>
</rule>
但这并没有触发事件。所以我尝试测试登录ossec-logtest。
我不得不编造日志条目,因为我无法获得ossec-分析将从 处理Windows's Event View
。
我尝试登录ossec-logtest而且看上去射击正常。
输入日志:
2014 Sep 18 10:10:54 WinEvtLog: System: INFORMATION(6006): Microsoft-Windows-Eventlog: username: WIN-4HSALJIGG2H: WIN-4HSALJIGG2H: The Event log service was stopped.
Ossec-logtest输出:
**Phase 1: Completed pre-decoding.
full event: '2014 Sep 18 10:10:54 WinEvtLog: System: INFORMATION(6006): Microsoft-Windows-Eventlog: username: WIN-4HSALJIGG2H: WIN-4HSALJIGG2H: The Event log service was stopped.'
hostname: 'CentOS1'
program_name: '(null)'
log: '2014 Sep 18 10:10:54 WinEvtLog: System: INFORMATION(6006): Microsoft-Windows-Eventlog: username: WIN-4HSALJIGG2H: WIN-4HSALJIGG2H: The Event log service was stopped.'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '100011'
Level: '10'
Description: 'The Event log service was stopped.'
**Alert to be generated.
这让我认为代理没有将日志事件 6006 发送到 OSSEC 服务器。我在代理上使用默认配置,我是否缺少了什么来触发事件 ID 6006?