Greetings Daniel: I tried copying just the decoder section from the snapshot to the decoder (removing the one that was present so there would be no duplicates)...
yet when I restart ossec it will not restart. <!-- SonicWall decoder. - Will extract action, srcip, dstip, protocol, srcport and dstport - Examples: - Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:06" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23419 src=2.2.2.2:36701:WAN dst=1.1.1 .1:50000:WAN proto=tcp/50000 - Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.1.1.1 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=7 src=2.2 .2.2:36701:WAN dst=1.1.1.1:50000:WAN - id=firewall sn=00301E0526B1 time="2004-04-01 10:39:35" fw=67.32.44.2 pri=5 c=64 m=36 msg="TCP connection dropped" n=2686 src=67.101.200.27:4507:WAN dst=67.32.44.2:445:LAN rule=0 --> <decoder name="sonicwall"> <type>firewall</type> <prematch>^id=\w+ sn=\w+ time=\S+ \S+ fw=\S+ pri=\d </prematch> <plugin_decoder>SonicWall_Decoder</plugin_decoder> </decoder> /var/ossec/bin/ossec-control restart Killing ossec-monitord .. Killing ossec-logcollector .. Killing ossec-remoted .. Killing ossec-syscheckd .. Killing ossec-analysisd .. Killing ossec-maild .. Killing ossec-execd .. OSSEC HIDS v1.3 Stopped Starting OSSEC HIDS v1.3 (by Daniel B. Cid)... 2007/09/02 23:00:01 ossec-analysisd(2110): Invalid decoder argument for plugin_decoder: 'SonicWall_Decoder'. 2007/09/02 23:00:01 ossec-analysisd(1202): Configuration error at '/ etc/decoder.xml'. Exiting. ossec-analysisd: Configuration error. Exiting Thoughts? Thank you.
