I don't see that you closed the <group name="usermod"> section of your xml with a </group>
That might be it! On Friday, July 10, 2015 at 12:51:03 PM UTC-7, repquota wrote: > > Hi, > I have another problem. I added new file to my ossec rules and after > reload ossec i have in ossec logs something like: > > 2015/07/10 21:35:28 ossec-testrule: INFO: Reading local decoder file. > > 2015/07/10 21:35:28 ossec-analysisd: Invalid decoder name: 'usermod'. > > 2015/07/10 21:35:28 ossec-testrule(1220): ERROR: Error loading the rules: > 'usermod_rules.xml'. > > > my decoder on decoder.xml below: > > > <decoder name="usermod"> > > <program_name>^usermod</program_name> > > </decoder> > > > <decoder name="usermod-locked"> > > <parent>usermod</parent> > > <prematch>^lock \S+ </prematch> > > <regex offset="after_prematch">^user (\S+) password$</regex> > > <order>user, srcip</order> > > </decoder> > > > and my usermod_rules.xml below: > > > <group name="usermod"> > > <rule id="100020" level="2"> > > <decoded_as>usermod</decoded_as> > > <description>USERMOD messages grouped.</description> > > </rule> > > > <rule id="100021" level="10"> > > <if_sid>100020</if_sid> > > <match>lock user</match> > > <description>Usser account locked</description> > > </rule> > > > of course I added file name in /var/ossec/etc/ossec in <rules> block > > > Where is a mistake ? What am I doing wrong ? > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
