Hello, I've tested before OSSEC 2.5 and I've use some decoder for porsentry. When I tried these decoders on OSSEC 2.6 I have some mistakes like theses: ******************************************************************* Started ossec-remoted... 2011/07/28 16:42:04 ossec-syscheckd(1210): ERROR: Queue '/etc/ossec/ queue/ossec/queue' not accessible: 'Connection refused'. 2011/07/28 16:42:04 ossec-rootcheck(1210): ERROR: Queue '/etc/ossec/ queue/ossec/queue' not accessible: 'Connection refused'. 2011/07/28 16:42:12 ossec-syscheckd(1210): ERROR: Queue '/etc/ossec/ queue/ossec/queue' not accessible: 'Connection refused'. 2011/07/28 16:42:12 ossec-rootcheck(1210): ERROR: Queue '/etc/ossec/ queue/ossec/queue' not accessible: 'Connection refused'. 2011/07/28 16:42:25 ossec-syscheckd(1210): ERROR: Queue '/etc/ossec/ queue/ossec/queue' not accessible: 'Connection refused'. 2011/07/28 16:42:25 ossec-rootcheck(1211): ERROR: Unable to access queue: '/etc/ossec/queue/ossec/queue'. Giving up.. *****************************************************************
I tried many, many things, and I find my error, the new ossec 2.6 doesn't accept anymore the "-" in the decoder name. When my decoder name is <decoder name="portsentry-attackalert">, ossec doesn't want to restart. When my decoder name is <decoder name="portsentryattackalert"> ossec restart without any problem. When my decoder name is <decoder name="portsentryattackalert2"> ossec restart without any problem. I'm sorry if this issue was already documented, I haven't find the explanation on ossec website or in the 2.6 "What is new?" web page. May be this can help somebody. It is normal? or it's a "bug" of the 2.6 release?
