Hi,
did you create a new rule with "if_group"?. Could you paste here the full
output of logtest?
Here an example of "if_group" (local_rules.xml):
<!--
Feb 27 12:57:40 LinMV sshd[1552]: pam_unix(sshd:session): session opened
for user root by (uid=0)
-->
<group name="test,">
<rule id="100002" level="4">
<if_group>authentication_success</if_group>
<group>authentication_success</group>
<description>Hi, this is an authentication_success</description>
</rule>
</group>
Feb 27 12:57:40 LinMV sshd[1552]: pam_unix(sshd:session): session opened for
user root by (uid=0)
**Phase 1: Completed pre-decoding.
full event: 'Feb 27 12:57:40 LinMV sshd[1552]:
pam_unix(sshd:session): session opened for user root by (uid=0)'
hostname: 'LinMV'
program_name: 'sshd'
log: 'pam_unix(sshd:session): session opened for user root by
(uid=0)'
**Phase 2: Completed decoding.
decoder: 'pam'
**Phase 3: Completed filtering (rules).
Rule id: '100002'
Level: '4'
Description: 'Hi, this is an authentication_success'
**Alert to be generated.
Regards.
On Saturday, February 27, 2016 at 6:20:39 AM UTC+1, Barry Kaplan wrote:
>
> I made an attempt to trim down the rules but ended up with the following
> error:
>
> 2016/02/27 05:05:24 rules_list: Group 'authentication_success' not found.
> Invalid 'if_group'
>
> Do rules need to loaded in a specific order, or did I remove a file that
> is depended on by another file? In either case, is there way to determine
> the dependencies?
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
