Created UDS for OSSEC, it validates fine, but envision won't use it.
Granted, I haven't parsed every single rule, but I've parsed the ones that trigger the most.
I've validated it using the 1.1.1 version of the integrator and everything parses.
I install it to envision, and it ignores it.
I've attempted to force it to use the ossec device, but it just ends up generating a new unkown entry.
I've attached my deployment package. The version of OSSEC I'm using is the latest version available on the website.
Any help would be greatly appreciated.
I am new to Envision and have no UDS experience yet, but my first thought is: are you trying to parse the alerts log format or OSSEC syslog output? I imagine the latter would be easier to work with.
Can you please post an lsdata dump of the OSSEC logs from enVision?
Scrub it if you have to, but it makes it a lot easier for the community to assist if you can provide logs to compare against.
Can u run the following lsdata command and share the ossec logs that are reporting in unknown category so that I can help you.
I already have created an UDS for ossec and they have are working fine for me.
lsdata -events Syslog -time [start_time] [end_time] -devices Unknown:device_ip
start_time & end_time : sample time duration. Time format YYYYMMDDHHMMSS
device_ip : Ossec device IP that got recognised as unknown.