On Wed, Aug 10, 2011 at 10:29 AM, Blauch Armand <[email protected]> wrote: > hello, > > I try to use the list option on a rule: > <list field="user" lookup="not_match_key">/etc/ossec/rules/ > testlistgroup1</list> >
I think your list is going to alert if the user is not in the list as the key. Is this what you intend? > this doesn't work! I've try so many things, I don't know what to do! > The rule fired at each time, like the rule doesn't read the list? > I only have few account to put in this list (testuser, testuser2....) > and I don't understand how to write it. > > I've first created a testlistgroup1.txt, with this values: > user:testuser > user:testuser2 > The format should be key:value and key should be unique. So: testuser:stuff testuser2:stuff > I run the ./ossec-makelist without problem; at each time I change the > testlistgroup1.txt > > my ossec.conf file is like this: > <rules> > <list>testlistgroup1.txt.cdb</list> > </rules> > > When I start ossec-logtest I have this message: > ossec-testrule: INFO: Reading loading the lists file: > 'testlistgroup1.txt.cdb' > > Does someone can help me? What is wrong with my list?
