Doesn't shows nothing strange: [root@srvtest bin]# /data/ossec/bin/ossec-logtest -t 2012/04/03 06:29:28 ossec-testrule: INFO: Reading local decoder file. [root@srvtest bin]#
On Mon, Apr 2, 2012 at 5:30 PM, dan (ddp) <[email protected]> wrote: > /var/ossec/bin/logtest -t > > Try troubleshooting the issue. > > On Apr 2, 2012 6:31 AM, "C. L. Martinez" <[email protected]> wrote: >> >> Hi all, >> >> I have an strange problem. I have defined a custom rule to trigger an >> alert when a RBN IP comes as a srcip in my logs file. For example: >> >> <group name="rbn,"> >> <rule id="110008" level="14"> >> <if_sid>100202,100203,100201</if_sid> >> <srcip>108.60.159.33</srcip> >> <description>Connection from RBN IP</description> >> </rule> >> </group> >> >> When I try to load these type of rules, this error occurred: >> >> 2012/04/02 07:47:27 ossec-analysisd: INFO: Reading rules file: >> 'my_rbn_rules.xml' >> 2012/04/02 07:47:27 ossec-remoted: INFO: Started (pid: 6387). >> 2012/04/02 07:47:27 ossec-remoted: Remote syslog allowed from: >> '192.168.44.0/24' >> 2012/04/02 07:47:27 ossec-remoted: INFO: Started (pid: 6389). >> 2012/04/02 07:47:30 ossec-syscheckd(1210): ERROR: Queue >> '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2012/04/02 07:47:30 ossec-rootcheck(1210): ERROR: Queue >> '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2012/04/02 07:47:30 ossec-remoted(1210): ERROR: Queue >> '/queue/ossec/queue' not accessible: 'Connection refused'. >> 2012/04/02 07:47:30 ossec-remoted(1211): ERROR: Unable to access >> queue: '/queue/ossec/queue'. Giving up.. >> 2012/04/02 07:47:32 ossec-analysisd: INFO: Reading rules file: >> 'my_dshield_rules.xml' >> 2012/04/02 07:47:32 ossec-analysisd: INFO: Reading rules file: >> 'ossec_rules.xml' >> >> But it is really strange, because I have another rule file >> (my_dshield_rules.xml) configured as the previous, and this doesn't >> returns any error .... Where is the problem?? >> >> Thanks.
