It would be better if you paste the configuration error message you are receiving. I guess the closing quote mark is missing in the <match> tag. It should be <match>ossec: output: 'netstat -tan | grep LISTEN'</match>
On Saturday, December 21, 2013 10:24:16 AM UTC+5, finid wrote: > > The rule below is from http://ur1.ca/g8avy. It causes a configuration > error when I use it in ossec.conf. What could be the problem. > > <rule id="140123" level="7"> > <if_sid>530</if_sid> > <match>ossec: output: 'netstat -tan |grep LISTEN</match> > <check_diff /> > <description>Listened ports have changed.</description> > </rule>' > > > TIA, > > > > -- > finid > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
