On Wed, Mar 13, 2013 at 2:07 PM, Stephane Rossan <[email protected]> wrote: > I know. I've been banging my head on this one. I can not figure the issue. I > guess I will have to change my strategy and set email alerts to 8, instead > of 7. >
Can you upgrade to 2.7? I feel like there was at least 1 fix for issues with overwrite between 2.6 and 2.7. > > On Wed, Mar 13, 2013 at 10:59 AM, Christian Beer > <[email protected]> wrote: >> >> I also can't find an error here. Maybe it's some wierd line ending problem >> that is only triggered by the logcollector and not logcheck. >> >> Am 13.03.2013 18:49, schrieb Stephane Rossan: >> >> Here is my rule, from local_rules.xml >> <rule id="533" level="6" overwrite="yes"> >> <if_sid>530</if_sid> >> <match>ossec: output: 'netstat -tan</match> >> <check_diff /> >> <description>Listened ports status (netstat) changed (new port opened >> or closed).</description> >> </rule> >> >> I use the overwrite option a lot, and can not figure what went wrong here. >> >> >> On Wed, Mar 13, 2013 at 10:31 AM, Christian Beer >> <[email protected]> wrote: >>> >>> As I use this overwrite mechanism also very often and it works in 2.6 >>> and 2.7, could you please post your faulty rule overwrite? Maybe you >>> missed something. >>> >>> Regards >>> Christian >>> >>> Am 13.03.2013 18:16, schrieb Stephane Rossan: >>> > Hi all, >>> > >>> > I use Ossec 2.6 on my server and unix clients. >>> > Recently, I tried to tune rule 533, and set the level of alert from 7 >>> > to 6. In my setup, 6 doesn't generate email alerts. >>> > After few hours of this implementation, I noticed following errors in >>> > ossec.log: >>> > 2013/03/11 22:41:35 ossec-syscheckd(1224): ERROR: Error sending >>> > message to queue. >>> > 2013/03/11 22:41:36 ossec-logcollector(1224): ERROR: Error sending >>> > message to queue. >>> > 2013/03/11 22:41:38 ossec-syscheckd(1210): ERROR: Queue >>> > '/apps/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> > 2013/03/11 22:41:38 ossec-syscheckd(1211): ERROR: Unable to access >>> > queue: '/apps/ossec/queue/ossec/queue'. Giving up.. >>> > 2013/03/11 22:41:39 ossec-logcollector(1210): ERROR: Queue >>> > '/apps/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> > 2013/03/11 22:41:39 ossec-logcollector(1211): ERROR: Unable to access >>> > queue: '/apps/ossec/queue/ossec/queue'. Giving up.. >>> > >>> > I did some research and found this error message has nothing to do >>> > with the queue. It is related to a syntax error in local_rules.xml. I >>> > checked it, couldn't figure the issue, validated it with >>> > ossec-logtest, everything was fine. Reviewing my SCM for any change in >>> > the rules, I noticed issues started around the time I added rule 533 >>> > to my local_rules.xml file. I rolled back to the previous version, >>> > minus rule 533. I monitored ossec.log for 24 hours, no issue. When I >>> > added rule 533 back, it broke again. >>> > >>> > Is there a way to fix this bug? I really need to collect netstat info >>> > but don't want to get an email alert every time there is a change. >>> > >>> > Thanks in advance, >>> > -Stephane >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an email to [email protected]. >>> > For more options, visit https://groups.google.com/groups/opt_out. >>> > >>> > >>> >> >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
