On Tue, Aug 5, 2014 at 6:28 AM, angel wings <[email protected]> wrote: > Hi, > > To ignore failed user authentications from a certain user I put the > following in the local_rules.xml > > <group name="ExcludeUserX"> > <rule id="117000" level="0"> > <if_sid>2501</if_sid> <!-- syslog_rules.xml --> > <match>Authentication failed for userX</match> > <description>ignore not changed password UserX</description> > </rule> > </group> > > After saving en restarting the ossec service I get the follow error in the > ossec log. > > 2014/08/05 12:12:28 rules_list: Signature ID '2501' not found. Invalid > 'if_sid'. > > I checked: > My rule id is okay > sid 2501 does exist in syslog_rules.xml > > Can someone help me? >
Copy and pasting that rule works fine for me (I ignored the group stuff). Try re-entering it. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
