*UPDATE This is in the ossec.log file. It looks like it's failing to load that xml file afterall. *
2010/04/05 10:25:57 ossec-analysisd: ERROR: Compiled rule not found: 'is_simple_http_request' 2010/04/05 10:25:57 ossec-analysisd(1274): ERROR: Invalid configuration. Element 'compiled_rule': is_simple_http_request. 2010/04/05 10:25:57 ossec-testrule(1220): ERROR: Error loading the rules: 'web_rules.xml'. 2010/04/05 10:27:45 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database). 2010/04/05 10:28:05 ossec-rootcheck: INFO: Starting rootcheck scan. * I verified that the compiled rule is in the config as well. * tes...@test:/usr/source/ossec-hids-2.4/src/analysisd/compiled_rules# ./register_rule.sh list *Available functions: check_id_size comp_mswin_targetuser_calleruser_diff comp_srcuser_dstuser is_simple_http_request is_valid_crawler tes...@test:/usr/source/ossec-hids-2.4/src/analysisd/compiled_rules# ./register_rule.sh add is_simple_http_request ERROR: Function 'is_simple_http_request' already added. On Mon, Apr 5, 2010 at 10:37 AM, Chad Robertson <[email protected]> wrote: > I updated OSSEC to 2.4 (though the -V still report 2.3) and now > ossec-logtest no longer starts. If I comment out the compiled rules in > web_rules.xml it starts fine. This also doesn't seem to affect the program > itself, just the logtest. > > > tes...@test:~# /var/ossec/bin/ossec-analysisd -V > > OSSEC HIDS v2.3 - Trend Micro Inc. > > This program is free software; you can redistribute it and/or modify > it under the terms of the GNU General Public License (version 2) as > published by the Free Software Foundation. For more details, go to > http://www.ossec.net/main/license/ > > tes...@test:~# /etc/init.d/ossec status > ossec-monitord is running... > ossec-logcollector is running... > ossec-remoted is running... > ossec-syscheckd is running... > ossec-analysisd is running... > ossec-maild is running... > ossec-execd is running... > tes...@test:~# /var/ossec/bin/ossec-logtest > 2010/04/05 10:25:57 ossec-analysisd: ERROR: Compiled rule not found: > 'is_simple_ > http_request' > 2010/04/05 10:25:57 ossec-analysisd(1274): ERROR: Invalid configuration. > Element > 'compiled_rule': is_simple_http_request. > 2010/04/05 10:25:57 ossec-testrule(1220): ERROR: Error loading the rules: > 'web_r > ules.xml'. > > > > -- To unsubscribe, reply using "remove me" as the subject.
