/var/ossec/bin/logtest -t Try troubleshooting the issue. On Apr 2, 2012 6:31 AM, "C. L. Martinez" <[email protected]> wrote:
> Hi all, > > I have an strange problem. I have defined a custom rule to trigger an > alert when a RBN IP comes as a srcip in my logs file. For example: > > <group name="rbn,"> > <rule id="110008" level="14"> > <if_sid>100202,100203,100201</if_sid> > <srcip>108.60.159.33</srcip> > <description>Connection from RBN IP</description> > </rule> > </group> > > When I try to load these type of rules, this error occurred: > > 2012/04/02 07:47:27 ossec-analysisd: INFO: Reading rules file: > 'my_rbn_rules.xml' > 2012/04/02 07:47:27 ossec-remoted: INFO: Started (pid: 6387). > 2012/04/02 07:47:27 ossec-remoted: Remote syslog allowed from: ' > 192.168.44.0/24' > 2012/04/02 07:47:27 ossec-remoted: INFO: Started (pid: 6389). > 2012/04/02 07:47:30 ossec-syscheckd(1210): ERROR: Queue > '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2012/04/02 07:47:30 ossec-rootcheck(1210): ERROR: Queue > '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2012/04/02 07:47:30 ossec-remoted(1210): ERROR: Queue > '/queue/ossec/queue' not accessible: 'Connection refused'. > 2012/04/02 07:47:30 ossec-remoted(1211): ERROR: Unable to access > queue: '/queue/ossec/queue'. Giving up.. > 2012/04/02 07:47:32 ossec-analysisd: INFO: Reading rules file: > 'my_dshield_rules.xml' > 2012/04/02 07:47:32 ossec-analysisd: INFO: Reading rules file: > 'ossec_rules.xml' > > But it is really strange, because I have another rule file > (my_dshield_rules.xml) configured as the previous, and this doesn't > returns any error .... Where is the problem?? > > Thanks. >
