I also can't find an error here. Maybe it's some wierd line ending problem that is only triggered by the logcollector and not logcheck.
Am 13.03.2013 18:49, schrieb Stephane Rossan: > Here is my rule, from local_rules.xml > <rule id="533" level="6" overwrite="yes"> > <if_sid>530</if_sid> > <match>ossec: output: 'netstat -tan</match> > <check_diff /> > <description>Listened ports status (netstat) changed (new port > opened or closed).</description> > </rule> > > I use the overwrite option a lot, and can not figure what went wrong here. > > > On Wed, Mar 13, 2013 at 10:31 AM, Christian Beer > <[email protected] <mailto:[email protected]>> wrote: > > As I use this overwrite mechanism also very often and it works in 2.6 > and 2.7, could you please post your faulty rule overwrite? Maybe you > missed something. > > Regards > Christian > > Am 13.03.2013 18:16, schrieb Stephane Rossan: > > Hi all, > > > > I use Ossec 2.6 on my server and unix clients. > > Recently, I tried to tune rule 533, and set the level of alert > from 7 > > to 6. In my setup, 6 doesn't generate email alerts. > > After few hours of this implementation, I noticed following > errors in > > ossec.log: > > 2013/03/11 22:41:35 ossec-syscheckd(1224): ERROR: Error sending > > message to queue. > > 2013/03/11 22:41:36 ossec-logcollector(1224): ERROR: Error sending > > message to queue. > > 2013/03/11 22:41:38 ossec-syscheckd(1210): ERROR: Queue > > '/apps/ossec/queue/ossec/queue' not accessible: 'Connection > refused'. > > 2013/03/11 22:41:38 ossec-syscheckd(1211): ERROR: Unable to access > > queue: '/apps/ossec/queue/ossec/queue'. Giving up.. > > 2013/03/11 22:41:39 ossec-logcollector(1210): ERROR: Queue > > '/apps/ossec/queue/ossec/queue' not accessible: 'Connection > refused'. > > 2013/03/11 22:41:39 ossec-logcollector(1211): ERROR: Unable to > access > > queue: '/apps/ossec/queue/ossec/queue'. Giving up.. > > > > I did some research and found this error message has nothing to do > > with the queue. It is related to a syntax error in > local_rules.xml. I > > checked it, couldn't figure the issue, validated it with > > ossec-logtest, everything was fine. Reviewing my SCM for any > change in > > the rules, I noticed issues started around the time I added rule 533 > > to my local_rules.xml file. I rolled back to the previous version, > > minus rule 533. I monitored ossec.log for 24 hours, no issue. When I > > added rule 533 back, it broke again. > > > > Is there a way to fix this bug? I really need to collect netstat > info > > but don't want to get an email alert every time there is a change. > > > > Thanks in advance, > > -Stephane > > -- > > > > --- > > You received this message because you are subscribed to the Google > > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, > send > > an email to [email protected] > <mailto:ossec-list%[email protected]>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
