Hi Dan, thanks for your reaction. I re-entered the tekst. Also copy and pasted an other working rule etc. As soon as I use the rulenumber 2501 or 2502 it gives the mentioned error.
Op dinsdag 5 augustus 2014 13:43:28 UTC+2 schreef dan (ddpbsd): > > On Tue, Aug 5, 2014 at 6:28 AM, angel wings <[email protected] > <javascript:>> wrote: > > Hi, > > > > To ignore failed user authentications from a certain user I put the > > following in the local_rules.xml > > > > <group name="ExcludeUserX"> > > <rule id="117000" level="0"> > > <if_sid>2501</if_sid> <!-- syslog_rules.xml --> > > <match>Authentication failed for userX</match> > > <description>ignore not changed password UserX</description> > > </rule> > > </group> > > > > After saving en restarting the ossec service I get the follow error in > the > > ossec log. > > > > 2014/08/05 12:12:28 rules_list: Signature ID '2501' not found. Invalid > > 'if_sid'. > > > > I checked: > > My rule id is okay > > sid 2501 does exist in syslog_rules.xml > > > > Can someone help me? > > > > Copy and pasting that rule works fine for me (I ignored the group > stuff). Try re-entering it. > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
