On Tuesday, May 24, 2016 at 6:04:21 PM UTC-6, Dave Vehrs wrote: > > > Unfortunately I thought it might be an issue that was fixed in an update > so I updated my git copy and installed it. Now I get a whole different set > of errors. > > Starting with decoder.xml not being copied into the installation directory > and followed by ossec-logtest resulting in reports like: > 2016/05/24 17:47:42 ossec-analysisd(2102): ERROR: Duplicated decoder with > prematch: 'pam-ruser'. > > And if I fix that one (because one of the duplicates should really be > named pam-rhost rather than pam-ruser) it goes on to complain about other > duplicates. > > So something changed in the update and it didn't update all the files. > > I'm looking into it and hopefully will soon get to a point I can test your > idea. > > OK, I've got the update to OSSEC 2.9 working and I figured out what you meant by the lacking prematch tag in the last decoder in kernel-iptables_apparmor_decoders.xml. It was the decoder for USB! Now I haven't quite figured out what prematch statement to add to it yet but if I comment out that decoder entirely then mine works from local_decoders.xml.
And I think I'm beginning to understand the basics of how these decoders should go together and how interdependent they are. In the future when I run into a similar issue I will know to look beyond whatever little snippet I have written. Thanks! Dave -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.