hi,all
my rules is this
<group name="local,rsyslog,">
<rule id="1050001" level="0">
<decoded_as>rsyslog-pstats</decoded_as>
<extra_data>0</extra_data>
<description>rsyslog is right</description>
</rule>
<rule id="1050002" level="1">
<if_sid>1050001</if_sid>
<extra_data>1</extra_data>
<description>Rsyslog Alert</description>
</rule>
</group>
but when i test it,log-test say this
2013/03/01 15:57:47 ossec-testrule: INFO: Reading local decoder file.
2013/03/01 15:57:47 rules_list: Signature ID '1050001' not found. Invalid
'if_sid'.
i Reference the official example rules,like this
<group name="zeus,">
<rule id="31200" level="0">
<decoded_as>zeus</decoded_as>
<description>Grouping of Zeus rules.</description>
</rule>
<rule id="31201" level="0">
<if_sid>31200</if_sid>
<regex>^[\S+ \S+] INFO:|^[\S+ \S+] SSL:</regex>
<description>Grouping of Zeus informational logs.</description>
</rule>
.....
why this ok?
thanks&Best Regards
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
