Manual -> Creating a separated directory for testing OSSEC rules/config
A question that I often hear is how to use a separated directory for testing OSSEC rules and the configuration.
The easiest way is by doing the follow:
- Choose the new directory to use as a test-base. In my case it is going to be /tmp/ossectest
- Create that directory and a few important sub-directories.
- Move over your configuration files, rules and decoders
- Run ossec-logtest using the new configuration and rules
- Now you can modify the rules and configuration at /tmp/ossectest before moving over to the real running directory
# mkdir /tmp/ossectest
# mkdir /tmp/ossectest/etc# mkdir /tmp/ossectest/queue/
# mkdir /tmp/ossectest/queue/fts
# mkdir /tmp/ossectest/rules
# cp -pr /var/ossec/etc/decoder.xml /tmp/ossectest/etc
# cp -pr /var/ossec/etc/ossec.conf /tmp/ossectest/etc
# cp -pr /var/ossec/rules/* /tmp/ossectest/rules/
# /var/ossec/bin/ossec-logtest -D /tmp/ossectest/ -c /tmp/ossectest/etc/ossec.conf
If there is any error in the rules or in the configuration you will get the message:
# /var/ossec/bin/ossec-logtest -D /tmp/ossectest/ -c /tmp/ossectest/etc/ossec.conf
2009/10/28 12:40:27 ossec-config(1226): ERROR: Error reading XML file ‘/tmp/ossectest/etc/ossec.conf’: XML ERR: Element not closed: globalaa (line 7).
2009/10/28 12:40:27 ossec-testrule(1202): ERROR: Configuration error at ‘/tmp/ossectest/etc/ossec.conf’. Exiting.
Otherwise you will be able to send any logs to logtest to test your rules.