Hi All , I'm trying my hand at writing ossec rules
i created a custom rule to capture failed login attempts on linux machine in /var/ossec/rules/local_rules.xml <group name="syslog,sshd,"> <rule id="100123" level="10" frequency="3"> <match>^authentication failure</match> <group>authentication_failed</group> <description>Failed login attempts </description> </rule> </group> and when i restart ossec service i get the following error , *ossec-syscheckd(1210):Error:Queue '/var/ossec/queue/ossec/queue' not accessible : 'connection refused'* can someone help me identify what went wrong not jus this when i tried modifying the alert frequency of an event , i get the same error for example ssh_successful l i copied the following from syslog_rules.xml file to local_rules.xml <rule id="5402" level="3"> <if_sid>5400</if_sid> <match> ; USER=root ; COMMAND=</match> <description>Successful sudo to ROOT executed</description> </rule> on local_rules.xml file i modified it as <rule id="5402" level="3" frequency="15" overwrite="yes"> <if_sid>5400</if_sid> <match> ; USER=root ; COMMAND=</match> <description>Successful sudo to ROOT executed</description> </rule> i get the same error (*ossec-syscheckd(1210):Error:Queue '/var/ossec/queue/ossec/queue' not accessible : 'connection refused*') on restarting OSSEC pl assist regards Shaun
