Hey, The issue is that the portsentry-attackalert was added to the release already :) So it fails due to the duplicated names...
Thanks, -- Daniel B. Cid dcid @ ossec.net On Thu, Jul 28, 2011 at 11:56 AM, Blauch Armand <[email protected]> wrote: > Hello, > > I've tested before OSSEC 2.5 and I've use some decoder for porsentry. > When I tried these decoders on OSSEC 2.6 I have some mistakes like > theses: > ******************************************************************* > Started ossec-remoted... > 2011/07/28 16:42:04 ossec-syscheckd(1210): ERROR: Queue '/etc/ossec/ > queue/ossec/queue' not accessible: 'Connection refused'. > 2011/07/28 16:42:04 ossec-rootcheck(1210): ERROR: Queue '/etc/ossec/ > queue/ossec/queue' not accessible: 'Connection refused'. > 2011/07/28 16:42:12 ossec-syscheckd(1210): ERROR: Queue '/etc/ossec/ > queue/ossec/queue' not accessible: 'Connection refused'. > 2011/07/28 16:42:12 ossec-rootcheck(1210): ERROR: Queue '/etc/ossec/ > queue/ossec/queue' not accessible: 'Connection refused'. > 2011/07/28 16:42:25 ossec-syscheckd(1210): ERROR: Queue '/etc/ossec/ > queue/ossec/queue' not accessible: 'Connection refused'. > 2011/07/28 16:42:25 ossec-rootcheck(1211): ERROR: Unable to access > queue: '/etc/ossec/queue/ossec/queue'. Giving up.. > ***************************************************************** > > I tried many, many things, and I find my error, the new ossec 2.6 > doesn't accept anymore the "-" in the decoder name. > > When my decoder name is <decoder name="portsentry-attackalert">, ossec > doesn't want to restart. > When my decoder name is <decoder name="portsentryattackalert"> ossec > restart without any problem. > When my decoder name is <decoder name="portsentryattackalert2"> ossec > restart without any problem. > > > I'm sorry if this issue was already documented, I haven't find the > explanation on ossec website or in the 2.6 "What is new?" web page. > May be this can help somebody. > > It is normal? or it's a "bug" of the 2.6 release? > >
