On Fri, Mar 1, 2013 at 3:14 AM, root <[email protected]> wrote: > hi,all > > my rules is this > > > <group name="local,rsyslog,"> > <rule id="1050001" level="0"> > <decoded_as>rsyslog-pstats</decoded_as> > <extra_data>0</extra_data> > <description>rsyslog is right</description> > </rule> > > <rule id="1050002" level="1"> > <if_sid>1050001</if_sid> > <extra_data>1</extra_data> > <description>Rsyslog Alert</description> > </rule> > </group> > > > but when i test it,log-test say this > > 2013/03/01 15:57:47 ossec-testrule: INFO: Reading local decoder file. > 2013/03/01 15:57:47 rules_list: Signature ID '1050001' not found. Invalid > 'if_sid'. >
Try using smaller numbers. 105001, 105002, etc. > > i Reference the official example rules,like this > > <group name="zeus,"> > <rule id="31200" level="0"> > <decoded_as>zeus</decoded_as> > <description>Grouping of Zeus rules.</description> > </rule> > > <rule id="31201" level="0"> > <if_sid>31200</if_sid> > <regex>^[\S+ \S+] INFO:|^[\S+ \S+] SSL:</regex> > <description>Grouping of Zeus informational logs.</description> > </rule> > ..... > > > why this ok? > > > > > > thanks&Best Regards > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
