Hi, I have another problem. I added new file to my ossec rules and after reload ossec i have in ossec logs something like:
2015/07/10 21:35:28 ossec-testrule: INFO: Reading local decoder file. 2015/07/10 21:35:28 ossec-analysisd: Invalid decoder name: 'usermod'. 2015/07/10 21:35:28 ossec-testrule(1220): ERROR: Error loading the rules: 'usermod_rules.xml'. my decoder on decoder.xml below: <decoder name="usermod"> <program_name>^usermod</program_name> </decoder> <decoder name="usermod-locked"> <parent>usermod</parent> <prematch>^lock \S+ </prematch> <regex offset="after_prematch">^user (\S+) password$</regex> <order>user, srcip</order> </decoder> and my usermod_rules.xml below: <group name="usermod"> <rule id="100020" level="2"> <decoded_as>usermod</decoded_as> <description>USERMOD messages grouped.</description> </rule> <rule id="100021" level="10"> <if_sid>100020</if_sid> <match>lock user</match> <description>Usser account locked</description> </rule> of course I added file name in /var/ossec/etc/ossec in <rules> block Where is a mistake ? What am I doing wrong ? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
