Here is an example of the rule:
<rule id="100263" level="0"> <if_sid>100109</if_sid> <regex>Account Name:\s*\t*\S+\$\s*\t*\s*Account Domain:</regex> <description>Custom: NT computer login/off success.</description> <group>authentication_success,</group> </rule> >From the log: 2014/06/07 16:26:01 ossec-analysisd(1227): ERROR: Error applying XML variables 'rules//local_rules.xml': XMLERR: Unknown variable: '\s*\t*\s*Account'.. 2014/06/07 16:26:01 ossec-testrule(1220): ERROR: Error loading the rules: 'local_rules.xml'. Hope that helps, JES -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
