For those new to OSSEC, the official doc should be corrected, because
that's how the single quotes are on there. Notice that the closing
single quote is after the closing rule tag (</rule>').
But I corrected that made a number of other changes, but it still
failed.
The doc I'm referring to is at http://ur1.ca/g8avy, under "Alerting when
output of a command changes."
The specific entry is:
===
<localfile>
<log_format>full_command</log_format>
<command>netstat -tan |grep LISTEN|grep -v 127.0.0.1</command>
</localfile>
After that, I add a rule to alert when its output changes:
<rule id="140123" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat -tan |grep LISTEN</match>
<check_diff />
<description>Listened ports have changed.</description>
</rule>'
===
When I put that in ossec.conf and restarted OSSEC, the ouput was:
"OSSEC analysisd: Testing rules failed. Configuration error. Exiting."
And from the error logs:
===
ERROR: Invalid element in the configuration: 'rule'.
ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting.
ossec-testrule(1202): ERROR: Configuration error at
'/var/ossec/etc/ossec.conf'. Exiting.
===
So, what is in the "rule" above that's not valid?
TIA,
--
finid
On 2013-12-24 10:12, ossec_user wrote:
It would be better if you paste the configuration error message you
are receiving. I guess the closing quote mark is missing in the
<match> tag. It should be
<match>ossec: output: 'netstat -tan | grep LISTEN'</match>
On Saturday, December 21, 2013 10:24:16 AM UTC+5, finid wrote:
The rule below is from http://ur1.ca/g8avy [1]. It causes a
configuration
error when I use it in ossec.conf. What could be the problem.
<rule id="140123" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat -tan |grep LISTEN</match>
<check_diff />
<description>Listened ports have changed.</description>
</rule>'
TIA,
--
finid
--
---
You received this message because you are subscribed to the Google
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out [2].
Links:
------
[1]
http://www.google.com/url?q75http%3A%2F%2Fur1.ca%2Fg8avy46sa75D46sntz�75146usg75AFQjCNHvkt8ZJGf30QyjY7Y1SZVDkppfog
[2] https://groups.google.com/groups/opt_out
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
