On Tue, Dec 24, 2013 at 8:22 AM, <[email protected]> wrote: > For those new to OSSEC, the official doc should be corrected, because that's > how the single quotes are on there. Notice that the closing single quote is > after the closing rule tag (</rule>'). >
Yes, that's an obvious typo. I've corrected it, and will push a new copy of the docs sometime after the holiday. I'll also try to add a bit about aliases, since that's not in that document. Using commands without aliases is barbaric. > But I corrected that made a number of other changes, but it still failed. > > The doc I'm referring to is at http://ur1.ca/g8avy, under "Alerting when > output of a command changes." > > The specific entry is: > === > <localfile> > <log_format>full_command</log_format> > <command>netstat -tan |grep LISTEN|grep -v 127.0.0.1</command> > </localfile> > > After that, I add a rule to alert when its output changes: > Where did you add this rule? Is it between the '<group name="local,syslog,">' and '</group>' in /var/ossec/rules/local_rules.xml? The following rule worked perfectly for me, so I think we'll need more information to determine what you've done incorrectly. > > <rule id="140123" level="7"> > <if_sid>530</if_sid> > <match>ossec: output: 'netstat -tan |grep LISTEN</match> > <check_diff /> > <description>Listened ports have changed.</description> > </rule>' > === > > When I put that in ossec.conf and restarted OSSEC, the ouput was: > > "OSSEC analysisd: Testing rules failed. Configuration error. Exiting." > > And from the error logs: > > === > > ERROR: Invalid element in the configuration: 'rule'. > ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. > ossec-testrule(1202): ERROR: Configuration error at > '/var/ossec/etc/ossec.conf'. Exiting. > > === > > So, what is in the "rule" above that's not valid? > > TIA, > > > > -- > finid > > > > > > On 2013-12-24 10:12, ossec_user wrote: >> >> It would be better if you paste the configuration error message you >> are receiving. I guess the closing quote mark is missing in the >> <match> tag. It should be >> <match>ossec: output: 'netstat -tan | grep LISTEN'</match> >> >> On Saturday, December 21, 2013 10:24:16 AM UTC+5, finid wrote: >> >>> The rule below is from http://ur1.ca/g8avy [1]. It causes a >>> >>> configuration >>> error when I use it in ossec.conf. What could be the problem. >>> >>> <rule id="140123" level="7"> >>> <if_sid>530</if_sid> >>> <match>ossec: output: 'netstat -tan |grep LISTEN</match> >>> <check_diff /> >>> <description>Listened ports have changed.</description> >>> </rule>' >>> >>> TIA, >>> >>> -- >>> finid >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out [2]. >> >> >> Links: >> ------ >> [1] >> >> http://www.google.com/url?q75http%3A%2F%2Fur1.ca%2Fg8avy46sa75D46sntz�75146usg75AFQjCNHvkt8ZJGf30QyjY7Y1SZVDkppfog >> [2] https://groups.google.com/groups/opt_out > > > -- > > --- You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
