Thanks to Steve for reporting this. Yes, the rule bro-ids.xml was removed in 2.8 since it did not work anyway. Please delete the line in your /var/ossec/etc/ossec.conf to avoid the error message.
On Wednesday, June 4, 2014 9:57:04 AM UTC-7, Steven Stern wrote: > > At the end of ./install.sh > > OSSEC HIDS v2.7.1 Stopped > Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)... > ossec-analysisd: Configuration error. Exiting. > > - Configuration finished properly. > > service ossec start > Starting OSSEC: [FAILED] > > from ossec.log > > 2014/06/04 11:48:27 ossec-execd(1314): INFO: Shutdown received. Deleting > responses. > 2014/06/04 11:48:27 ossec-execd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2014/06/04 11:48:28 ossec-testrule: INFO: Reading local decoder file. > 2014/06/04 11:48:28 ossec-analysisd: Invalid decoder name: 'bro-ids'. > 2014/06/04 11:48:28 ossec-testrule(1220): ERROR: Error loading the > rules: 'bro-ids_rules.xml'. > 2014/06/04 11:49:32 ossec-testrule: INFO: Reading local decoder file. > 2014/06/04 11:49:32 ossec-analysisd: Invalid decoder name: 'bro-ids'. > 2014/06/04 11:49:32 ossec-testrule(1220): ERROR: Error loading the > rules: 'bro-ids_rules.xml'. > > Contents of ossec-init.conf: > > DIRECTORY="/var/ossec" > VERSION="v2.8" > DATE="Wed Jun 4 11:48:28 CDT 2014" > TYPE="local" > > Per another email message, deleting the line in > /var/ossec/etc/ossec.conf that includes the bro-ids.xml file fixed things. > > > -- > -- Steve > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
