The ossec-logtest program is a useful tool when working with Wazuh rules. This tool allows the testing and verification of rules against provided log examples in a way that simulates the action of ossec-analysisd. This can also assist with writing and debugging custom rules and troubleshooting false positives and negatives.
|-a||Analysis of input lines as though they are live events.|
|-c <config>||Run using
Specifies the chroot before it completes loading all rules,decoders,
and lists and processing standard input.
Run as a Print debug output to the terminal. This option may be repeated
to increase the verbosity of the debug messages.group.
|-h||Display the help message.|
Test configuration. This will display file details on the rules to be loaded
by ossec-analysisd, decoders, and lists as they are loaded and the order
they were processed.
This option will cause ossec-logtest to return a zero exit status if the test
results for the provided log line match the criteria in the arguments.
Only one log line should be supplied for this to be useful.
|-V||Display the version and license information for Wazuh and ossec-logtest.|
|-v||Display the verbose results.|
- U ossec-logtest code requires access to all ossec configuration files.
-v is the key option to troubleshoot a rule or decoder problem.