Thank you, everythings works fine now! My list is like this: testuser:testuser testuser2:testuser2
and I've change the path too, it was wrong, I have now <list field="user" lookup="not_match_key">rules/testlistgroup1</list> On 10 août, 17:15, "dan (ddp)" <[email protected]> wrote: > On Wed, Aug 10, 2011 at 11:02 AM, Blauch Armand <[email protected]> wrote: > > Hello, > > > Thanks for your help. > > > My intend is to alert when a user use su command if he's not on a > > list. (In this list I have all the authorized su users. I don't want > > that rule fire for them, because su usage are ok for this account). > > > I don't understand the list format, what is "stuff" in your example > > (testuser:stuff testuser2:stuff)? > > I've tried with stuff=user or stuff=dstuser, and it doesn't work. > > In your example the value (in the key:value pair) doesn't matter. It > isn't being used. It can be anything. > > You could use: > > testuser:testuser > testuser2:Bob Biggins > testuser3:Scott Summers > > The important part is that the user names are in the key position, so > re-write your list and try again. > > > > > > > > > > > On 10 août, 16:42, "dan (ddp)" <[email protected]> wrote: > >> On Wed, Aug 10, 2011 at 10:29 AM, Blauch Armand <[email protected]> wrote: > >> > hello, > > >> > I try to use the list option on a rule: > >> > <list field="user" lookup="not_match_key">/etc/ossec/rules/ > >> > testlistgroup1</list> > > >> I think your list is going to alert if the user is not in the list as > >> the key. Is this what you intend? > > >> > this doesn't work! I've try so many things, I don't know what to do! > >> > The rule fired at each time, like the rule doesn't read the list? > >> > I only have few account to put in this list (testuser, testuser2....) > >> > and I don't understand how to write it. > > >> > I've first created a testlistgroup1.txt, with this values: > >> > user:testuser > >> > user:testuser2 > > >> The format should be key:value and key should be unique. > >> So: > > >> > I run the ./ossec-makelist without problem; at each time I change the > >> > testlistgroup1.txt > > >> > my ossec.conf file is like this: > >> > <rules> > >> > <list>testlistgroup1.txt.cdb</list> > >> > </rules> > > >> > When I start ossec-logtest I have this message: > >> > ossec-testrule: INFO: Reading loading the lists file: > >> > 'testlistgroup1.txt.cdb' > > >> > Does someone can help me? What is wrong with my list?
