On Tue, Dec 24, 2013 at 9:36 AM, <[email protected]> wrote: > I threw everything inside ossec.conf. > > Where they supposed to go in different files? > >
What? The <localfile> block goes in the /var/ossec/etc/ossec.conf and the <rule> goes into a rules file (probably /var/ossec/rules/local_rules.xml). Is that what you were asking? > > -- > finid > > > > > > On 2013-12-24 14:15, dan (ddp) wrote: >> >> On Tue, Dec 24, 2013 at 8:22 AM, <[email protected]> wrote: >>> >>> For those new to OSSEC, the official doc should be corrected, because >>> that's >>> how the single quotes are on there. Notice that the closing single quote >>> is >>> after the closing rule tag (</rule>'). >>> >> >> Yes, that's an obvious typo. I've corrected it, and will push a new >> copy of the docs sometime after the holiday. >> I'll also try to add a bit about aliases, since that's not in that >> document. Using commands without aliases is barbaric. >> >>> But I corrected that made a number of other changes, but it still failed. >>> >>> The doc I'm referring to is at http://ur1.ca/g8avy, under "Alerting when >>> output of a command changes." >>> >>> The specific entry is: >>> === >>> <localfile> >>> <log_format>full_command</log_format> >>> <command>netstat -tan |grep LISTEN|grep -v 127.0.0.1</command> >>> </localfile> >>> >>> After that, I add a rule to alert when its output changes: >>> >> >> Where did you add this rule? Is it between the '<group >> name="local,syslog,">' and '</group>' in >> /var/ossec/rules/local_rules.xml? >> The following rule worked perfectly for me, so I think we'll need more >> information to determine what you've done incorrectly. >> >>> >>> <rule id="140123" level="7"> >>> <if_sid>530</if_sid> >>> <match>ossec: output: 'netstat -tan |grep LISTEN</match> >>> <check_diff /> >>> <description>Listened ports have changed.</description> >>> </rule>' >>> === >>> >>> When I put that in ossec.conf and restarted OSSEC, the ouput was: >>> >>> "OSSEC analysisd: Testing rules failed. Configuration error. Exiting." >>> >>> And from the error logs: >>> >>> === >>> >>> ERROR: Invalid element in the configuration: 'rule'. >>> ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. >>> ossec-testrule(1202): ERROR: Configuration error at >>> '/var/ossec/etc/ossec.conf'. Exiting. >>> >>> === >>> >>> So, what is in the "rule" above that's not valid? >>> >>> TIA, >>> >>> >>> >>> -- >>> finid >>> >>> >>> >>> >>> >>> On 2013-12-24 10:12, ossec_user wrote: >>>> >>>> >>>> It would be better if you paste the configuration error message you >>>> are receiving. I guess the closing quote mark is missing in the >>>> <match> tag. It should be >>>> <match>ossec: output: 'netstat -tan | grep LISTEN'</match> >>>> >>>> On Saturday, December 21, 2013 10:24:16 AM UTC+5, finid wrote: >>>> >>>>> The rule below is from http://ur1.ca/g8avy [1]. It causes a >>>>> >>>>> configuration >>>>> error when I use it in ossec.conf. What could be the problem. >>>>> >>>>> <rule id="140123" level="7"> >>>>> <if_sid>530</if_sid> >>>>> <match>ossec: output: 'netstat -tan |grep LISTEN</match> >>>>> <check_diff /> >>>>> <description>Listened ports have changed.</description> >>>>> </rule>' >>>>> >>>>> TIA, >>>>> >>>>> -- >>>>> finid >>>> >>>> >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, >>>> send an email to [email protected]. >>>> For more options, visit https://groups.google.com/groups/opt_out [2]. >>>> >>>> >>>> Links: >>>> ------ >>>> [1] >>>> >>>> >>>> http://www.google.com/url?q75http%3A%2F%2Fur1.ca%2Fg8avy46sa75D46sntz�75146usg75AFQjCNHvkt8ZJGf30QyjY7Y1SZVDkppfog >>>> [2] https://groups.google.com/groups/opt_out >>> >>> >>> >>> -- >>> >>> --- You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. > > > -- > > --- You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
