I was working on something like that and found that user wasn't picking up with my decoder. I ended up switching to using a match instead.
If you run the log entry through ossec-logtest you should be able to see if user is getting set to anything.
↧
Channel:
OSSEC Ignore Alert - Server Fault
X
Are you the publisher?
Claim or
contact us
about this channel.
X
0
Channel Details:
- Title: OSSEC Ignore Alert - Server Fault
- Channel Number: 75360447
- Language: English
- Registered On: October 25, 2019, 12:55 pm
- Number of Articles: 2
- Latest Snapshot: October 25, 2019, 12:55 pm
- RSS URL: https://serverfault.com/feeds/question/928755
- Publisher: https://serverfault.com/q/928755
- Description:
- Catalog: //ossec38.rssing.com/catalog.php?indx=75360447
© 2025 //www.rssing.com