On Fri, Sep 9, 2016 at 4:57 AM, Saurabh Garg <[email protected]> wrote: > Michael, > > Were you able to restart OSSEC after editing syslog_rules.xml? did it not > fail throwing the below message: > "OSSEC analysisd: Testing rules failed. Configuration error. Exiting." >
Looking at /var/ossec/logs/ossec.log or running `/var/ossec/bin/ossec-logtest -t` might give you a better clue as to what you did incorrectly. If you need assistance, please start your own thread and provide details. > - Saurabh > > > On Monday, July 7, 2014 at 8:53:24 PM UTC+5:30, Michael Starks wrote: >> >> On 2014-07-07 10:07, Randy Dover wrote: >> > How should I comment it out? >> > I edited syslog_rules.xml (in >> > The way I edited it was: >> > # <rule id='1003'... >> > # <description... >> > # </rule> >> > >> > So, in essence, I just put a "#" in front of each of the lines. >> > >> > That didn't work. I'm still getting the emails. And getting a lot of >> > them. >> >> XML comments are like this: <!-- stuff here -->. So, your rule should >> look like this: >> >> <!-- rule id="1003" level="13" maxsize="304900"> >> <description>Non standard syslog message (size too >> large).</description> >> </rule --> >> >> Keep in mind that this is an exceptional case. Normally, you wouldn't >> want to modify rules in any place other than local_rules.xml, as they >> will be overwritten on upgrades. >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
