Re: [ossec-list] Duplicate rule error

2018-04-06 Thread dan (ddp)
On Thu, Apr 5, 2018 at 6:39 PM, Cooper wrote: > Do I need to leave those rule ID's as they were? I'm guessing overwrite > means that they overrule the other rule's with the same ID's? > Looks like you fixed it, but an answer on the list might help someone else. Overwrite

Re: [ossec-list] Duplicate rule error

2018-04-05 Thread Cooper
Look to be all set now. Thanks for your help, Dan! Starting OSSEC HIDS 2.9.3 (by Trend Micro Inc.)... Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-remoted... Started ossec-syscheckd... Started ossec-monitord...

Re: [ossec-list] Duplicate rule error

2018-04-05 Thread Cooper
Do I need to leave those rule ID's as they were? I'm guessing overwrite means that they overrule the other rule's with the same ID's? On Thursday, April 5, 2018 at 4:34:03 PM UTC-6, Cooper wrote: > > Well that helped with the duplicate rule errors, so thank you for that! > Now I am getting an

Re: [ossec-list] Duplicate rule error

2018-04-05 Thread Cooper
Well that helped with the duplicate rule errors, so thank you for that! Now I am getting an overwrite rule error: 2018/04/05 17:30:17 ossec-analysisd: Overwrite rule '120028' not found. 2018/04/05 17:30:17 ossec-testrule(1220): ERROR: Error loading the rules: 'local_rules.xml'. Here is the

Re: [ossec-list] Duplicate rule error

2018-04-05 Thread Cooper Graf
Oh interesting! I assumed it was "unique" to that rule file. I'll try re-IDing them and see what happens. On Thu, Apr 5, 2018 at 1:36 PM dan (ddp) wrote: > On Thu, Apr 5, 2018 at 11:04 AM, Cooper wrote: > > Here's the rule from the error: > > > > > >

Re: [ossec-list] Duplicate rule error

2018-04-05 Thread dan (ddp)
On Thu, Apr 5, 2018 at 11:04 AM, Cooper wrote: > Here's the rule from the error: > > > > esm > authentication_failed, > User authentication failure. > > > > If I comment it out, it just says the next rule is a duplicate, and so on > and so on. None are

Re: [ossec-list] Duplicate rule error

2018-04-05 Thread Cooper
Here's the rule from the error: esm authentication_failed, User authentication failure. If I comment it out, it just says the next rule is a duplicate, and so on and so on. None are overwrite rules. On Thursday, April 5, 2018 at 4:04:56 AM UTC-6, dan (ddpbsd) wrote: > > >

Re: [ossec-list] Duplicate rule error

2018-04-05 Thread dan (ddp)
On Wed, Apr 4, 2018, 8:56 PM Cooper wrote: > Sorry Dan, I'm horribly new to managing ossec (yesterday). How would I > know that? > Look for 'overwrite="yes"' in the rule. > On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote: >> >> >> >> On Wed, Apr 4,