I ran into the same problem - *IF* you try updating a 2.6 install with the beta - you must REPLACE it. So "no" to upgrade and then delete the existing folder (when it asks) and install new 2.7. Otherwise it keeps some files (have not verified which) that cause this.
On Wednesday, September 19, 2012 9:21:09 AM UTC-7, dan (ddpbsd) wrote: > > On Wed, Sep 19, 2012 at 12:15 PM, PAL <[email protected] <javascript:>> > wrote: > > In ossec 2.7 a new log_format appeared: linux_auditd > > I got a strange error. > > > > When I configure for read audit.log on agent side: > > > >> <localfile> > >> <log_format timeout="5">linux_auditd</log_format> > >> <location>/var/log/audit/audit.log</location> > >> </localfile> > > > > > > all work ok. > > > > But, when I wrote same lines on server host - I got error: > > > > 2012/09/19 12:03:08 ossec-config(1243): ERROR: Invalid attribute > > 'log_format' in the configuration: 'linux_auditd'. > > 2012/09/19 12:03:08 ossec-config(1202): ERROR: Configuration error at > > '/var/ossec/etc/ossec.conf'. Exiting. > > 2012/09/19 12:03:08 ossec-logcollector(1202): ERROR: Configuration error > at > > '/var/ossec/etc/ossec.conf'. Exiting. > > > > When I set log_format to syslog OR comment out all rules, I have no > errors. > > > > Is any way to fix it? > > > > > > Are you sure your OSSEC server is running version 2.7? >
