I'm testing it at the moment... Thanks.
On Wed, Mar 13, 2013 at 2:26 PM, dan (ddp) <[email protected]> wrote: > On Wed, Mar 13, 2013 at 2:07 PM, Stephane Rossan <[email protected]> > wrote: > > I know. I've been banging my head on this one. I can not figure the > issue. I > > guess I will have to change my strategy and set email alerts to 8, > instead > > of 7. > > > > Can you upgrade to 2.7? I feel like there was at least 1 fix for > issues with overwrite between 2.6 and 2.7. > > > > > On Wed, Mar 13, 2013 at 10:59 AM, Christian Beer > > <[email protected]> wrote: > >> > >> I also can't find an error here. Maybe it's some wierd line ending > problem > >> that is only triggered by the logcollector and not logcheck. > >> > >> Am 13.03.2013 18:49, schrieb Stephane Rossan: > >> > >> Here is my rule, from local_rules.xml > >> <rule id="533" level="6" overwrite="yes"> > >> <if_sid>530</if_sid> > >> <match>ossec: output: 'netstat -tan</match> > >> <check_diff /> > >> <description>Listened ports status (netstat) changed (new port > opened > >> or closed).</description> > >> </rule> > >> > >> I use the overwrite option a lot, and can not figure what went wrong > here. > >> > >> > >> On Wed, Mar 13, 2013 at 10:31 AM, Christian Beer > >> <[email protected]> wrote: > >>> > >>> As I use this overwrite mechanism also very often and it works in 2.6 > >>> and 2.7, could you please post your faulty rule overwrite? Maybe you > >>> missed something. > >>> > >>> Regards > >>> Christian > >>> > >>> Am 13.03.2013 18:16, schrieb Stephane Rossan: > >>> > Hi all, > >>> > > >>> > I use Ossec 2.6 on my server and unix clients. > >>> > Recently, I tried to tune rule 533, and set the level of alert from 7 > >>> > to 6. In my setup, 6 doesn't generate email alerts. > >>> > After few hours of this implementation, I noticed following errors in > >>> > ossec.log: > >>> > 2013/03/11 22:41:35 ossec-syscheckd(1224): ERROR: Error sending > >>> > message to queue. > >>> > 2013/03/11 22:41:36 ossec-logcollector(1224): ERROR: Error sending > >>> > message to queue. > >>> > 2013/03/11 22:41:38 ossec-syscheckd(1210): ERROR: Queue > >>> > '/apps/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > >>> > 2013/03/11 22:41:38 ossec-syscheckd(1211): ERROR: Unable to access > >>> > queue: '/apps/ossec/queue/ossec/queue'. Giving up.. > >>> > 2013/03/11 22:41:39 ossec-logcollector(1210): ERROR: Queue > >>> > '/apps/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > >>> > 2013/03/11 22:41:39 ossec-logcollector(1211): ERROR: Unable to access > >>> > queue: '/apps/ossec/queue/ossec/queue'. Giving up.. > >>> > > >>> > I did some research and found this error message has nothing to do > >>> > with the queue. It is related to a syntax error in local_rules.xml. I > >>> > checked it, couldn't figure the issue, validated it with > >>> > ossec-logtest, everything was fine. Reviewing my SCM for any change > in > >>> > the rules, I noticed issues started around the time I added rule 533 > >>> > to my local_rules.xml file. I rolled back to the previous version, > >>> > minus rule 533. I monitored ossec.log for 24 hours, no issue. When I > >>> > added rule 533 back, it broke again. > >>> > > >>> > Is there a way to fix this bug? I really need to collect netstat info > >>> > but don't want to get an email alert every time there is a change. > >>> > > >>> > Thanks in advance, > >>> > -Stephane > >>> > -- > >>> > > >>> > --- > >>> > You received this message because you are subscribed to the Google > >>> > Groups "ossec-list" group. > >>> > To unsubscribe from this group and stop receiving emails from it, > send > >>> > an email to [email protected]. > >>> > For more options, visit https://groups.google.com/groups/opt_out. > >>> > > >>> > > >>> > >> > >> > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
