Dear All We have recently updated the Ossec server from 2.0 to 2.3. After the upgrade the ossec server failed to start rootcheckd and syscheckd. Probably due to failure in starting of analysisd.
When we check the ossec rules it says error in local_rules.xml ( There were many rules defined by us). Then we checked for all the rules deployed in local_rules.xml. The new version is not supporting these two rules which were earlier running.( I am not sure whether we received the alerts but it never failed to load). Currently with these two sules the HIDS is not starting. <rule id="554" level="7" overwrite="yes"> <category>ossec</category> <decoded_as>syscheck_new_entry</decoded_as> <match>\system32\</match> <description>File added to the system.</description> <group>syscheck,</group> </rule> <rule id="100019" level='0'> <if_sid>100018</if_sid> <regex>Permissions changed from '\D\D\D\D\D\D\Dw\D' to '\D+'</regex> <description>World-writable File</description> </rule> Can any one tell what is going wrong Regards Gagan
