hello,
I try to use the list option on a rule:
<list field="user" lookup="not_match_key">/etc/ossec/rules/
testlistgroup1</list>
this doesn't work! I've try so many things, I don't know what to do!
The rule fired at each time, like the rule doesn't read the list?
I only have few account to put in this list (testuser, testuser2....)
and I don't understand how to write it.
I've first created a testlistgroup1.txt, with this values:
user:testuser
user:testuser2
I run the ./ossec-makelist without problem; at each time I change the
testlistgroup1.txt
my ossec.conf file is like this:
<rules>
<list>testlistgroup1.txt.cdb</list>
</rules>
When I start ossec-logtest I have this message:
ossec-testrule: INFO: Reading loading the lists file:
'testlistgroup1.txt.cdb'
Does someone can help me? What is wrong with my list?
