Nice find Pedro! That was the problem. I wish the documentation had said that it was regex based. Lol. At least it's working now. :) Many thanks
On Saturday, October 29, 2016 at 3:53:53 PM UTC-5, Brad wrote: > > Hi all, > > I'm setting up an AR and it works if I only use 1 rules_group or if I use > multiple rules_id but not if I use multiple rules_group. Here is the code. > > WORKS: > <active-response> > <command>ipv6-subnet-log</command> > <location>local</location> > <rules_group>authentication_failed</rules_group> > </active-response> > > WORKS: > <active-response> > <command>ipv6-subnet-log</command> > <location>local</location> > <rules_id>5716,5718</rules_id> > </active-response> > > DOESN'T WORK: > <active-response> > <command>ipv6-subnet-log</command> > <location>local</location> > <rules_group>authentication_failed,invalid_login</rules_group> > </active-response> > > According to the documentation that should work but it doesn't. Any idea > why? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
