I threw everything inside ossec.conf.
Where they supposed to go in different files?
--
finid
On 2013-12-24 14:15, dan (ddp) wrote:
On Tue, Dec 24, 2013 at 8:22 AM, <[email protected]> wrote:
For those new to OSSEC, the official doc should be corrected, because
that's
how the single quotes are on there. Notice that the closing single
quote is
after the closing rule tag (</rule>').
Yes, that's an obvious typo. I've corrected it, and will push a new
copy of the docs sometime after the holiday.
I'll also try to add a bit about aliases, since that's not in that
document. Using commands without aliases is barbaric.
But I corrected that made a number of other changes, but it still
failed.
The doc I'm referring to is at http://ur1.ca/g8avy, under "Alerting
when
output of a command changes."
The specific entry is:
===
<localfile>
<log_format>full_command</log_format>
<command>netstat -tan |grep LISTEN|grep -v 127.0.0.1</command>
</localfile>
After that, I add a rule to alert when its output changes:
Where did you add this rule? Is it between the '<group
name="local,syslog,">' and '</group>' in
/var/ossec/rules/local_rules.xml?
The following rule worked perfectly for me, so I think we'll need more
information to determine what you've done incorrectly.
<rule id="140123" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat -tan |grep LISTEN</match>
<check_diff />
<description>Listened ports have changed.</description>
</rule>'
===
When I put that in ossec.conf and restarted OSSEC, the ouput was:
"OSSEC analysisd: Testing rules failed. Configuration error. Exiting."
And from the error logs:
===
ERROR: Invalid element in the configuration: 'rule'.
ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting.
ossec-testrule(1202): ERROR: Configuration error at
'/var/ossec/etc/ossec.conf'. Exiting.
===
So, what is in the "rule" above that's not valid?
TIA,
--
finid
On 2013-12-24 10:12, ossec_user wrote:
It would be better if you paste the configuration error message you
are receiving. I guess the closing quote mark is missing in the
<match> tag. It should be
<match>ossec: output: 'netstat -tan | grep LISTEN'</match>
On Saturday, December 21, 2013 10:24:16 AM UTC+5, finid wrote:
The rule below is from http://ur1.ca/g8avy [1]. It causes a
configuration
error when I use it in ossec.conf. What could be the problem.
<rule id="140123" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat -tan |grep LISTEN</match>
<check_diff />
<description>Listened ports have changed.</description>
</rule>'
TIA,
--
finid
--
---
You received this message because you are subscribed to the Google
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out
[2].
Links:
------
[1]
http://www.google.com/url?q75http%3A%2F%2Fur1.ca%2Fg8avy46sa75D46sntz�75146usg75AFQjCNHvkt8ZJGf30QyjY7Y1SZVDkppfog
[2] https://groups.google.com/groups/opt_out
--
--- You received this message because you are subscribed to the Google
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send
an
email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
