As I use this overwrite mechanism also very often and it works in 2.6 and 2.7, could you please post your faulty rule overwrite? Maybe you missed something.
Regards Christian Am 13.03.2013 18:16, schrieb Stephane Rossan: > Hi all, > > I use Ossec 2.6 on my server and unix clients. > Recently, I tried to tune rule 533, and set the level of alert from 7 > to 6. In my setup, 6 doesn't generate email alerts. > After few hours of this implementation, I noticed following errors in > ossec.log: > 2013/03/11 22:41:35 ossec-syscheckd(1224): ERROR: Error sending > message to queue. > 2013/03/11 22:41:36 ossec-logcollector(1224): ERROR: Error sending > message to queue. > 2013/03/11 22:41:38 ossec-syscheckd(1210): ERROR: Queue > '/apps/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2013/03/11 22:41:38 ossec-syscheckd(1211): ERROR: Unable to access > queue: '/apps/ossec/queue/ossec/queue'. Giving up.. > 2013/03/11 22:41:39 ossec-logcollector(1210): ERROR: Queue > '/apps/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2013/03/11 22:41:39 ossec-logcollector(1211): ERROR: Unable to access > queue: '/apps/ossec/queue/ossec/queue'. Giving up.. > > I did some research and found this error message has nothing to do > with the queue. It is related to a syntax error in local_rules.xml. I > checked it, couldn't figure the issue, validated it with > ossec-logtest, everything was fine. Reviewing my SCM for any change in > the rules, I noticed issues started around the time I added rule 533 > to my local_rules.xml file. I rolled back to the previous version, > minus rule 533. I monitored ossec.log for 24 hours, no issue. When I > added rule 533 back, it broke again. > > Is there a way to fix this bug? I really need to collect netstat info > but don't want to get an email alert every time there is a change. > > Thanks in advance, > -Stephane > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
