I just tried your rules:
<group name="local,rsyslog,">
<rule id="150001" level="0">
<!-- <decoded_as>rsyslog-pstats</decoded_as> -->
<extra_data>0</extra_data>
<description>rsyslog is right</description>
</rule>
<rule id="150002" level="1">
<if_sid>150001</if_sid>
<extra_data>1</extra_data>
<description>Rsyslog Alert</description>
</rule>
</group>
and as Dan wrote, reducing the ID number fixes your error.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
