ossec-logtest

The ossec-logtest program is a useful tool when working with Wazuh rules. This tool allows the testing and verification of rules against provided log examples in a way that simulates the action of ossec-analysisd. This can also assist with writing and debugging custom rules and troubleshooting false positives and negatives.

-a

Analysis of input lines as though they are live events.

-c <config>

Run using config as the configuration file.

Default Value

/var/ossec/etc/ossec.conf

-D <dir>

Specifies the chroot before it completes loading all rules,decoders,

and lists and processing standard input.

-d

Run as a Print debug output to the terminal. This option may be repeated

to increase the verbosity of the debug messages.group.

-h

Display the help message.

-t

Test configuration. This will display file details on the rules to be loaded

by ossec-analysisd, decoders, and lists as they are loaded and the order

they were processed.

-U <rule-id:alert-level:decoder-name>

This option will cause ossec-logtest to return a zero exit status if the test

results for the provided log line match the criteria in the arguments.

Only one log line should be supplied for this to be useful.

-V

Display the version and license information for Wazuh and ossec-logtest.

-v

Display the verbose results.

Note

-U ossec-logtest code requires access to all ossec configuration files.

Note

-v is the key option to troubleshoot a rule or decoder problem.