A question that I often hear is how to use a separated directory for testing OSSEC rules and the configuration.
The easiest way is by doing the follow:
1. Choose the new directory to use as a test-base. In my case it is going to be /tmp/ossectest
2. Create that directory and a few important sub-directories.
# mkdir /tmp/ossectest
# mkdir /tmp/ossectest/etc
# mkdir /tmp/ossectest/queue/
# mkdir /tmp/ossectest/queue/fts
# mkdir /tmp/ossectest/rules
3. Move over your configuration files, rules and decoders
# cp -pr /var/ossec/etc/decoder.xml /tmp/ossectest/etc
# cp -pr /var/ossec/etc/ossec.conf /tmp/ossectest/etc
# cp -pr /var/ossec/rules/* /tmp/ossectest/rules/
4. Run ossec-logtest using the new configuration and rules
# /var/ossec/bin/ossec-logtest -D /tmp/ossectest/ -c /tmp/ossectest/etc/ossec.conf
5. Now you can modify the rules and configuration at /tmp/ossectest before moving over to the real running directoryIf there is any error in the rules or in the configuration you will get the message:
# /var/ossec/bin/ossec-logtest -D /tmp/ossectest/ -c /tmp/ossectest/etc/ossec.conf
2009/10/28 12:40:27 ossec-config(1226): ERROR: Error reading XML file ‘/tmp/ossectest/etc/ossec.conf’: XML ERR: Element not closed: globalaa (line 7).
2009/10/28 12:40:27 ossec-testrule(1202): ERROR: Configuration error at ‘/tmp/ossectest/etc/ossec.conf’. Exiting.Otherwise you will be able to send any logs to logtest to test your rules.