On Thu, Apr 6, 2017 at 1:28 PM, Rob Williams <tsinfosect...@gmail.com> wrote: > Hi, > > I tried to do this, but I'm getting: > > ERROR: Parent decoder name invalid: 'rootcheck' > ERROR: Error adding decoder plugin > > I don't see the rootcheck decoder within decoder.xml as well, any ideas? >
It must be one of the built in decoders, and I guess those can't be used for child decoders. No other ideas at the moment, but I'll keep thinking about it. > Thanks again for the help! > > > On Wednesday, April 5, 2017 at 12:26:31 PM UTC-7, Rob Williams wrote: >> >> Hi all, >> >> I'm running into an issue where rule 510 is triggering and I'm getting >> spammed with alerts but I can't seem to tune it correctly. What's weird is >> that I am still getting alerted for rule 510 for this log, but I can't >> figure out how to get that to show in logtest. Basically, I am getting >> spammed with rule 510 and trying to filter it down more and here is what >> happens when I enter the log in logtest: .... any ideas on how to fix >> this? >> >> **Phase 1: Completed pre-decoding. >> >> full event: 'File '/filepath/' is owned by root and has written >> permissions to anyone.' >> >> hostname: 'hostname' >> >> program_name: '(null)' >> >> log: 'File '/filepath/' is owned by root and has written >> permissions to anyone.' >> >> >> **Phase 2: Completed decoding. >> >> decoder: 'sample_decoder_setup' >> >> id: '/filepath/' > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.