I know. I've been banging my head on this one. I can not figure the issue. I guess I will have to change my strategy and set email alerts to 8, instead of 7.
On Wed, Mar 13, 2013 at 10:59 AM, Christian Beer < [email protected]> wrote: > I also can't find an error here. Maybe it's some wierd line ending > problem that is only triggered by the logcollector and not logcheck. > > Am 13.03.2013 18:49, schrieb Stephane Rossan: > > Here is my rule, from local_rules.xml > <rule id="533" level="6" overwrite="yes"> > <if_sid>530</if_sid> > <match>ossec: output: 'netstat -tan</match> > <check_diff /> > <description>Listened ports status (netstat) changed (new port opened > or closed).</description> > </rule> > > I use the overwrite option a lot, and can not figure what went wrong > here. > > > On Wed, Mar 13, 2013 at 10:31 AM, Christian Beer < > [email protected]> wrote: > >> As I use this overwrite mechanism also very often and it works in 2.6 >> and 2.7, could you please post your faulty rule overwrite? Maybe you >> missed something. >> >> Regards >> Christian >> >> Am 13.03.2013 18:16, schrieb Stephane Rossan: >> > Hi all, >> > >> > I use Ossec 2.6 on my server and unix clients. >> > Recently, I tried to tune rule 533, and set the level of alert from 7 >> > to 6. In my setup, 6 doesn't generate email alerts. >> > After few hours of this implementation, I noticed following errors in >> > ossec.log: >> > 2013/03/11 22:41:35 ossec-syscheckd(1224): ERROR: Error sending >> > message to queue. >> > 2013/03/11 22:41:36 ossec-logcollector(1224): ERROR: Error sending >> > message to queue. >> > 2013/03/11 22:41:38 ossec-syscheckd(1210): ERROR: Queue >> > '/apps/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> > 2013/03/11 22:41:38 ossec-syscheckd(1211): ERROR: Unable to access >> > queue: '/apps/ossec/queue/ossec/queue'. Giving up.. >> > 2013/03/11 22:41:39 ossec-logcollector(1210): ERROR: Queue >> > '/apps/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> > 2013/03/11 22:41:39 ossec-logcollector(1211): ERROR: Unable to access >> > queue: '/apps/ossec/queue/ossec/queue'. Giving up.. >> > >> > I did some research and found this error message has nothing to do >> > with the queue. It is related to a syntax error in local_rules.xml. I >> > checked it, couldn't figure the issue, validated it with >> > ossec-logtest, everything was fine. Reviewing my SCM for any change in >> > the rules, I noticed issues started around the time I added rule 533 >> > to my local_rules.xml file. I rolled back to the previous version, >> > minus rule 533. I monitored ossec.log for 24 hours, no issue. When I >> > added rule 533 back, it broke again. >> > >> > Is there a way to fix this bug? I really need to collect netstat info >> > but don't want to get an email alert every time there is a change. >> > >> > Thanks in advance, >> > -Stephane >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
