I have a MARS 50 that was running 4.3.2 and was recently upgraded to 4.3.6. We've been using custom rules that fire on seeing specific keywords in these events - Generic Windows system event log, Generic Windows security event log, Generic Windows application event log. All these events are from windows servers sending syslog via Snare.
The problem is I that if I query the MARS using the EXACT same criteria as the custom rule I get thousands of events for the same time period that I get a few hundred events for the custom rule.
I've made sure that my criteria for the query and the rules are exactly the same each time. I have tried making new custom rules where there was only one keyword to make sure it was very simple. I've tried disabling all custom rules so only one is on at a time. None of this has shed light on why a rule with the same criteria as a query would return maybe 10% of the results as the query. The issue existed in the old 4.3.2 code too, BTW.
I spoke to TAC about this and they are still looking into it and say it may be a new bug. It is hard for me to believe that I'm the first person that has a custom rule that alerts on a keyword in a windows syslog event.
Anyone else experience this issue?