More decoder testing

[jrossi]

No description provided.

[ddpbsd]

Is this stuff documented anywhere? I'd love to read it if it is, or if you have some notes you can share I don't mind writing the docs.

[jrossi]

No docs but started oRFC so will add them into that pull request.

Right now if you are in src and run make test-rules it runs the rule tests. Tests are currently in contrib/ossec-test/tests.

Will move away from Python system to ossec-lua soon as it means on less requirement

[ddpbsd]

I'll wait for the switch before I really get into documenting it then. Thanks!

[jrossi]

That will no change anything around the rule testing format. The ini files will stay so you can look into them and start there if you would like.

[ddpbsd]

Well since I don't understand what the ini files are ini-ing, I don't think I'll start documenting that today.
Like, why pass|fail? Why would we want a check to fail? Do we intentionally make a mistake inputting the data (wrong level or whatever)?

[jrossi]

Ok makes sense but here are some details.

[rules name goes here must be uniq in file]
log 1 pass = this line must match rules, decoder, and alerts 
log 2 fail = this line must NOT match rules, decoder, and alerts
decoder = name-here
alert = 5
rule = 10000

[ddpbsd]

Awesome info, thanks! Are there options other than "log" at the beginning of the line?

[jrossi]

Nope no other options now. "log \d (pass|fail)" are the line feed into ossec-logtest and then from there the output is checked using ossec-logtest -U (http://ossec-docs.readthedocs.org/en/latest/programs/ossec-logtest.html#cmdoption-ossec-logtest-U)