So many levels of weird. Can you try adding a completely different rule and see if you are getting an error. Just checking if we have error with the number of rules. (Random guess).
> On Sep 18, 2014, at 8:12 PM, "Dave Martin" <[email protected]> wrote: > > I recently installed OSSEC 2.8 and have been adding rules to local_rules.xml > with no problems until today. > > When I add the following rule: > > <rule id="100117" level="0"> > <if_group>syslog</if_group> > <match>%ASA-3-305006: regular translation creation failed for icmp</match> > <description>Ignore Cisco ASA error 305006</description> > </rule> > > I see the following errors on restart: > > 2014/09/18 17:03:11 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2014/09/18 17:03:11 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > If I comment the rule and restart, all components startup without error. > Totally repeatable. This suggests that there are no problems with > permissions, etc. > > The odd thing, is that the local_rules.xml contains a nearly-identical rule > that causes no such problems: > > <rule id="100110" level="0"> > <if_group>syslog</if_group> > <match>%ASA-4-313005: No matching connection for ICMP error > message</match> > <description>Ignore Cisco ASA error 313005</description> > </rule> > > I've retyped and pasted and edited the working rule to guarantee that there > are no invisible characters. > > Any ideas what could be causing these errors? > > Thanks! > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
