Re: [ossec-list] Duplicate rule error
On Thu, Apr 5, 2018 at 6:39 PM, Cooperwrote: > Do I need to leave those rule ID's as they were? I'm guessing overwrite > means that they overrule the other rule's with the same ID's? > Looks like you fixed it, but an answer on the list might help someone else. Overwrite does what it says, it overrides another rule. The OSSEC provided rules files will be overwritten during an upgrade, so to allow users to change those rules the overwrite option was added. A rule in local_rules.xml with the overwrite option will be used instead of the rule with that same ID in another rule file. > > On Thursday, April 5, 2018 at 4:34:03 PM UTC-6, Cooper wrote: >> >> Well that helped with the duplicate rule errors, so thank you for that! >> Now I am getting an overwrite rule error: >> >> 2018/04/05 17:30:17 ossec-analysisd: Overwrite rule '120028' not found. >> 2018/04/05 17:30:17 ossec-testrule(1220): ERROR: Error loading the rules: >> 'local_rules.xml'. >> >> Here is the rule it is referencing (there are several after it that I'm >> sure will error out as well): >> >> >> >> ar_log >> Active Response Custom Messages Grouped >> active_response, >> >> >> >> On Thursday, April 5, 2018 at 2:00:22 PM UTC-6, Cooper wrote: >>> >>> Oh interesting! I assumed it was "unique" to that rule file. I'll try >>> re-IDing them and see what happens. >>> >>> On Thu, Apr 5, 2018 at 1:36 PM dan (ddp) wrote: On Thu, Apr 5, 2018 at 11:04 AM, Cooper > Here's the rule from the error: > > > > esm > authentication_failed, > User authentication failure. > > > > If I comment it out, it just says the next rule is a duplicate, and so > on > and so on. None are overwrite rules. > Here's rule 2501 in OSSEC (https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml#L130): FAILED LOGIN |authentication failure| Authentication failed for|invalid password for| LOGIN FAILURE|auth failure: |authentication error| authinternal failed|Failed to authorize| Wrong password given for|login failed|Auth: Login incorrect| Failed to authenticate user authentication_failed, User authentication failure. So it looks like the custom rules implemented in your environment are using the ID ranges used by the project. I think rule id 10+ are reserved for custom rules. Anything below that could be used by the project at any time, possibly conflicting with custom rules using the wrong ranges. > On Thursday, April 5, 2018 at 4:04:56 AM UTC-6, dan (ddpbsd) wrote: >> >> >> >> On Wed, Apr 4, 2018, 8:56 PM Cooper wrote: >>> >>> Sorry Dan, I'm horribly new to managing ossec (yesterday). How >>> would I >>> know that? >> >> >> Look for 'overwrite="yes"' in the rule. >> >> >>> >>> On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote: On Wed, Apr 4, 2018, 8:50 PM Cooper wrote: > > When trying to start our new 2.9.3 ossec server, i receive the > following error: > > 2018/04/04 19:45:39 ossec-analysisd: Duplicate rule ID:2501 > 2018/04/04 19:45:39 ossec-testrule(1220): ERROR: Error loading the > rules: 'local_rules.xml'. > > However, inside local_rules, there's only one rule with an ID of > 2501. > If I comment out that rule, it just says that the next rule is a > duplicate. > These rules are being migrated from a working 2.7.2 install. > Anyone run > into this before? Are these overwrite rules? > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, > send > an email to ossec-list+...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, >>> send an >>> email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google > Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an > email to
Re: [ossec-list] Duplicate rule error
Look to be all set now. Thanks for your help, Dan! Starting OSSEC HIDS 2.9.3 (by Trend Micro Inc.)... Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-remoted... Started ossec-syscheckd... Started ossec-monitord... Completed. On Thursday, April 5, 2018 at 4:39:50 PM UTC-6, Cooper wrote: > > Do I need to leave those rule ID's as they were? I'm guessing overwrite > means that they overrule the other rule's with the same ID's? > > On Thursday, April 5, 2018 at 4:34:03 PM UTC-6, Cooper wrote: >> >> Well that helped with the duplicate rule errors, so thank you for that! >> Now I am getting an overwrite rule error: >> >> 2018/04/05 17:30:17 ossec-analysisd: Overwrite rule '120028' not found. >> 2018/04/05 17:30:17 ossec-testrule(1220): ERROR: Error loading the rules: >> 'local_rules.xml'. >> >> Here is the rule it is referencing (there are several after it that I'm >> sure will error out as well): >> >> >> >> ar_log >> Active Response Custom Messages Grouped >> active_response, >> >> >> >> On Thursday, April 5, 2018 at 2:00:22 PM UTC-6, Cooper wrote: >>> >>> Oh interesting! I assumed it was "unique" to that rule file. I'll try >>> re-IDing them and see what happens. >>> >>> On Thu, Apr 5, 2018 at 1:36 PM dan (ddp)wrote: >>> On Thu, Apr 5, 2018 at 11:04 AM, Cooper > Here's the rule from the error: > > > > esm > authentication_failed, > User authentication failure. > > > > If I comment it out, it just says the next rule is a duplicate, and so on > and so on. None are overwrite rules. > Here's rule 2501 in OSSEC ( https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml#L130 ): FAILED LOGIN |authentication failure| Authentication failed for|invalid password for| LOGIN FAILURE|auth failure: |authentication error| authinternal failed|Failed to authorize| Wrong password given for|login failed|Auth: Login incorrect| Failed to authenticate user authentication_failed, User authentication failure. So it looks like the custom rules implemented in your environment are using the ID ranges used by the project. I think rule id 10+ are reserved for custom rules. Anything below that could be used by the project at any time, possibly conflicting with custom rules using the wrong ranges. > On Thursday, April 5, 2018 at 4:04:56 AM UTC-6, dan (ddpbsd) wrote: >> >> >> >> On Wed, Apr 4, 2018, 8:56 PM Cooper wrote: >>> >>> Sorry Dan, I'm horribly new to managing ossec (yesterday). How would I >>> know that? >> >> >> Look for 'overwrite="yes"' in the rule. >> >> >>> >>> On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote: On Wed, Apr 4, 2018, 8:50 PM Cooper wrote: > > When trying to start our new 2.9.3 ossec server, i receive the > following error: > > 2018/04/04 19:45:39 ossec-analysisd: Duplicate rule ID:2501 > 2018/04/04 19:45:39 ossec-testrule(1220): ERROR: Error loading the > rules: 'local_rules.xml'. > > However, inside local_rules, there's only one rule with an ID of 2501. > If I comment out that rule, it just says that the next rule is a duplicate. > These rules are being migrated from a working 2.7.2 install. Anyone run > into this before? Are these overwrite rules? > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this
Re: [ossec-list] Duplicate rule error
Do I need to leave those rule ID's as they were? I'm guessing overwrite means that they overrule the other rule's with the same ID's? On Thursday, April 5, 2018 at 4:34:03 PM UTC-6, Cooper wrote: > > Well that helped with the duplicate rule errors, so thank you for that! > Now I am getting an overwrite rule error: > > 2018/04/05 17:30:17 ossec-analysisd: Overwrite rule '120028' not found. > 2018/04/05 17:30:17 ossec-testrule(1220): ERROR: Error loading the rules: > 'local_rules.xml'. > > Here is the rule it is referencing (there are several after it that I'm > sure will error out as well): > > > > ar_log > Active Response Custom Messages Grouped > active_response, > > > > On Thursday, April 5, 2018 at 2:00:22 PM UTC-6, Cooper wrote: >> >> Oh interesting! I assumed it was "unique" to that rule file. I'll try >> re-IDing them and see what happens. >> >> On Thu, Apr 5, 2018 at 1:36 PM dan (ddp)wrote: >> >>> On Thu, Apr 5, 2018 at 11:04 AM, Cooper >>> > Here's the rule from the error: >>> > >>> > >>> > >>> > esm >>> > authentication_failed, >>> > User authentication failure. >>> > >>> > >>> > >>> > If I comment it out, it just says the next rule is a duplicate, and so >>> on >>> > and so on. None are overwrite rules. >>> > >>> >>> Here's rule 2501 in OSSEC >>> ( >>> https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml#L130 >>> ): >>> >>> >>> FAILED LOGIN |authentication failure| >>> Authentication failed for|invalid password for| >>> LOGIN FAILURE|auth failure: |authentication error| >>> authinternal failed|Failed to authorize| >>> Wrong password given for|login failed|Auth: Login >>> incorrect| >>> Failed to authenticate user >>> authentication_failed, >>> User authentication failure. >>> >>> >>> So it looks like the custom rules implemented in your environment are >>> using the ID ranges used by the project. >>> I think rule id 10+ are reserved for custom rules. >>> Anything below that could be used by the project at any time, possibly >>> conflicting with custom rules using the wrong ranges. >>> >>> > On Thursday, April 5, 2018 at 4:04:56 AM UTC-6, dan (ddpbsd) wrote: >>> >> >>> >> >>> >> >>> >> On Wed, Apr 4, 2018, 8:56 PM Cooper wrote: >>> >>> >>> >>> Sorry Dan, I'm horribly new to managing ossec (yesterday). How >>> would I >>> >>> know that? >>> >> >>> >> >>> >> Look for 'overwrite="yes"' in the rule. >>> >> >>> >> >>> >>> >>> >>> On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote: >>> >>> >>> >>> On Wed, Apr 4, 2018, 8:50 PM Cooper wrote: >>> > >>> > When trying to start our new 2.9.3 ossec server, i receive the >>> > following error: >>> > >>> > 2018/04/04 19:45:39 ossec-analysisd: Duplicate rule ID:2501 >>> > 2018/04/04 19:45:39 ossec-testrule(1220): ERROR: Error loading the >>> > rules: 'local_rules.xml'. >>> > >>> > However, inside local_rules, there's only one rule with an ID of >>> 2501. >>> > If I comment out that rule, it just says that the next rule is a >>> duplicate. >>> > These rules are being migrated from a working 2.7.2 install. >>> Anyone run >>> > into this before? >>> >>> >>> >>> Are these overwrite rules? >>> >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, >>> send >>> > an email to ossec-list+...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. >>> >>> >>> >>> -- >>> >>> >>> >>> --- >>> >>> You received this message because you are subscribed to the Google >>> Groups >>> >>> "ossec-list" group. >>> >>> To unsubscribe from this group and stop receiving emails from it, >>> send an >>> >>> email to ossec-list+...@googlegroups.com. >>> >>> For more options, visit https://groups.google.com/d/optout. >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an >>> > email to ossec-list+unsubscr...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+unsubscr...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com.
Re: [ossec-list] Duplicate rule error
Well that helped with the duplicate rule errors, so thank you for that! Now I am getting an overwrite rule error: 2018/04/05 17:30:17 ossec-analysisd: Overwrite rule '120028' not found. 2018/04/05 17:30:17 ossec-testrule(1220): ERROR: Error loading the rules: 'local_rules.xml'. Here is the rule it is referencing (there are several after it that I'm sure will error out as well): ar_log Active Response Custom Messages Grouped active_response, On Thursday, April 5, 2018 at 2:00:22 PM UTC-6, Cooper wrote: > > Oh interesting! I assumed it was "unique" to that rule file. I'll try > re-IDing them and see what happens. > > On Thu, Apr 5, 2018 at 1:36 PM dan (ddp)wrote: > >> On Thu, Apr 5, 2018 at 11:04 AM, Cooper >> > Here's the rule from the error: >> > >> > >> > >> > esm >> > authentication_failed, >> > User authentication failure. >> > >> > >> > >> > If I comment it out, it just says the next rule is a duplicate, and so >> on >> > and so on. None are overwrite rules. >> > >> >> Here's rule 2501 in OSSEC >> ( >> https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml#L130 >> ): >> >> >> FAILED LOGIN |authentication failure| >> Authentication failed for|invalid password for| >> LOGIN FAILURE|auth failure: |authentication error| >> authinternal failed|Failed to authorize| >> Wrong password given for|login failed|Auth: Login >> incorrect| >> Failed to authenticate user >> authentication_failed, >> User authentication failure. >> >> >> So it looks like the custom rules implemented in your environment are >> using the ID ranges used by the project. >> I think rule id 10+ are reserved for custom rules. >> Anything below that could be used by the project at any time, possibly >> conflicting with custom rules using the wrong ranges. >> >> > On Thursday, April 5, 2018 at 4:04:56 AM UTC-6, dan (ddpbsd) wrote: >> >> >> >> >> >> >> >> On Wed, Apr 4, 2018, 8:56 PM Cooper wrote: >> >>> >> >>> Sorry Dan, I'm horribly new to managing ossec (yesterday). How would >> I >> >>> know that? >> >> >> >> >> >> Look for 'overwrite="yes"' in the rule. >> >> >> >> >> >>> >> >>> On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote: >> >> >> >> On Wed, Apr 4, 2018, 8:50 PM Cooper wrote: >> > >> > When trying to start our new 2.9.3 ossec server, i receive the >> > following error: >> > >> > 2018/04/04 19:45:39 ossec-analysisd: Duplicate rule ID:2501 >> > 2018/04/04 19:45:39 ossec-testrule(1220): ERROR: Error loading the >> > rules: 'local_rules.xml'. >> > >> > However, inside local_rules, there's only one rule with an ID of >> 2501. >> > If I comment out that rule, it just says that the next rule is a >> duplicate. >> > These rules are being migrated from a working 2.7.2 install. >> Anyone run >> > into this before? >> >> >> >> Are these overwrite rules? >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, >> send >> > an email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> >>> >> >>> -- >> >>> >> >>> --- >> >>> You received this message because you are subscribed to the Google >> Groups >> >>> "ossec-list" group. >> >>> To unsubscribe from this group and stop receiving emails from it, >> send an >> >>> email to ossec-list+...@googlegroups.com. >> >>> For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+unsubscr...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Duplicate rule error
Oh interesting! I assumed it was "unique" to that rule file. I'll try re-IDing them and see what happens. On Thu, Apr 5, 2018 at 1:36 PM dan (ddp)wrote: > On Thu, Apr 5, 2018 at 11:04 AM, Cooper wrote: > > Here's the rule from the error: > > > > > > > > esm > > authentication_failed, > > User authentication failure. > > > > > > > > If I comment it out, it just says the next rule is a duplicate, and so on > > and so on. None are overwrite rules. > > > > Here's rule 2501 in OSSEC > ( > https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml#L130 > ): > > > FAILED LOGIN |authentication failure| > Authentication failed for|invalid password for| > LOGIN FAILURE|auth failure: |authentication error| > authinternal failed|Failed to authorize| > Wrong password given for|login failed|Auth: Login > incorrect| > Failed to authenticate user > authentication_failed, > User authentication failure. > > > So it looks like the custom rules implemented in your environment are > using the ID ranges used by the project. > I think rule id 10+ are reserved for custom rules. > Anything below that could be used by the project at any time, possibly > conflicting with custom rules using the wrong ranges. > > > On Thursday, April 5, 2018 at 4:04:56 AM UTC-6, dan (ddpbsd) wrote: > >> > >> > >> > >> On Wed, Apr 4, 2018, 8:56 PM Cooper wrote: > >>> > >>> Sorry Dan, I'm horribly new to managing ossec (yesterday). How would I > >>> know that? > >> > >> > >> Look for 'overwrite="yes"' in the rule. > >> > >> > >>> > >>> On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote: > > > > On Wed, Apr 4, 2018, 8:50 PM Cooper wrote: > > > > When trying to start our new 2.9.3 ossec server, i receive the > > following error: > > > > 2018/04/04 19:45:39 ossec-analysisd: Duplicate rule ID:2501 > > 2018/04/04 19:45:39 ossec-testrule(1220): ERROR: Error loading the > > rules: 'local_rules.xml'. > > > > However, inside local_rules, there's only one rule with an ID of > 2501. > > If I comment out that rule, it just says that the next rule is a > duplicate. > > These rules are being migrated from a working 2.7.2 install. Anyone > run > > into this before? > > > > Are these overwrite rules? > > > -- > > > > --- > > You received this message because you are subscribed to the Google > > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, > send > > an email to ossec-list+...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > >>> > >>> -- > >>> > >>> --- > >>> You received this message because you are subscribed to the Google > Groups > >>> "ossec-list" group. > >>> To unsubscribe from this group and stop receiving emails from it, send > an > >>> email to ossec-list+...@googlegroups.com. > >>> For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Duplicate rule error
On Thu, Apr 5, 2018 at 11:04 AM, Cooperwrote: > Here's the rule from the error: > > > > esm > authentication_failed, > User authentication failure. > > > > If I comment it out, it just says the next rule is a duplicate, and so on > and so on. None are overwrite rules. > Here's rule 2501 in OSSEC (https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml#L130): FAILED LOGIN |authentication failure| Authentication failed for|invalid password for| LOGIN FAILURE|auth failure: |authentication error| authinternal failed|Failed to authorize| Wrong password given for|login failed|Auth: Login incorrect| Failed to authenticate user authentication_failed, User authentication failure. So it looks like the custom rules implemented in your environment are using the ID ranges used by the project. I think rule id 10+ are reserved for custom rules. Anything below that could be used by the project at any time, possibly conflicting with custom rules using the wrong ranges. > On Thursday, April 5, 2018 at 4:04:56 AM UTC-6, dan (ddpbsd) wrote: >> >> >> >> On Wed, Apr 4, 2018, 8:56 PM Cooper wrote: >>> >>> Sorry Dan, I'm horribly new to managing ossec (yesterday). How would I >>> know that? >> >> >> Look for 'overwrite="yes"' in the rule. >> >> >>> >>> On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote: On Wed, Apr 4, 2018, 8:50 PM Cooper wrote: > > When trying to start our new 2.9.3 ossec server, i receive the > following error: > > 2018/04/04 19:45:39 ossec-analysisd: Duplicate rule ID:2501 > 2018/04/04 19:45:39 ossec-testrule(1220): ERROR: Error loading the > rules: 'local_rules.xml'. > > However, inside local_rules, there's only one rule with an ID of 2501. > If I comment out that rule, it just says that the next rule is a > duplicate. > These rules are being migrated from a working 2.7.2 install. Anyone run > into this before? Are these overwrite rules? > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Duplicate rule error
Here's the rule from the error: esm authentication_failed, User authentication failure. If I comment it out, it just says the next rule is a duplicate, and so on and so on. None are overwrite rules. On Thursday, April 5, 2018 at 4:04:56 AM UTC-6, dan (ddpbsd) wrote: > > > > On Wed, Apr 4, 2018, 8:56 PM Cooper> wrote: > >> Sorry Dan, I'm horribly new to managing ossec (yesterday). How would I >> know that? >> > > Look for 'overwrite="yes"' in the rule. > > > >> On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote: >>> >>> >>> >>> On Wed, Apr 4, 2018, 8:50 PM Cooper wrote: >>> When trying to start our new 2.9.3 ossec server, i receive the following error: 2018/04/04 19:45:39 ossec-analysisd: Duplicate rule ID:2501 2018/04/04 19:45:39 ossec-testrule(1220): ERROR: Error loading the rules: 'local_rules.xml'. However, inside local_rules, there's only one rule with an ID of 2501. If I comment out that rule, it just says that the next rule is a duplicate. These rules are being migrated from a working 2.7.2 install. Anyone run into this before? >>> >>> >>> Are these overwrite rules? >>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Duplicate rule error
On Wed, Apr 4, 2018, 8:56 PM Cooperwrote: > Sorry Dan, I'm horribly new to managing ossec (yesterday). How would I > know that? > Look for 'overwrite="yes"' in the rule. > On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote: >> >> >> >> On Wed, Apr 4, 2018, 8:50 PM Cooper wrote: >> >>> When trying to start our new 2.9.3 ossec server, i receive the following >>> error: >>> >>> 2018/04/04 19:45:39 ossec-analysisd: Duplicate rule ID:2501 >>> 2018/04/04 19:45:39 ossec-testrule(1220): ERROR: Error loading the >>> rules: 'local_rules.xml'. >>> >>> However, inside local_rules, there's only one rule with an ID of 2501. >>> If I comment out that rule, it just says that the next rule is a >>> duplicate. These rules are being migrated from a working 2.7.2 install. >>> Anyone run into this before? >>> >> >> >> Are these overwrite rules? >> >> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.