Hi dan, It's work, Only include two files:
<rules> <include>rules_config.xml</include> <include>ossec_rules.xml</include> </rules> And change config to rules_config.xml to: <!-- @(#) $Id: ./etc/rules/rules_config.xml, 2011/09/08 dcid Exp $ - Rules config. - Configuration options. This file must always be included, otherwise - most of the rules will not work properly. - - Copyright (C) 2009 Trend Micro Inc. - All rights reserved. - - This program is a free software; you can redistribute it - and/or modify it under the terms of the GNU General Public - License (version 2) as published by the FSF - Free Software - Foundation. - - License details: http://www.ossec.net/en/licensing.html --> <group name="syslog"> <rule id="01" level="0" noalert="1"> <category>syslog</category> <description>Generic template for all syslog rules.</description> </rule> </group> <group name="ids"> <rule id="03" level="0" noalert="1"> <category>ids</category> <description>Generic template for all ids rules.</description> </rule> </group> <group name="windows"> <rule id="06" level="0" noalert="1"> <category>windows</category> <description>Generic template for all windows rules.</description> </rule> </group> <group name="ossec"> <rule id="07" level="0" noalert="1"> <category>ossec</category> <description>Generic template for all ossec rules.</description> </rule> </group> <!-- EOF --> Restart ossec Thanks for help! El miércoles, 3 de mayo de 2017, 22:50:10 (UTC+2), dan (ddpbsd) escribió: > > On Tue, May 2, 2017 at 4:37 AM, Huc Manté Miras <hucm...@gmail.com > <javascript:>> wrote: > > Only its needed to include two rule files: > > > > > > <rules> > > <include>rules_config.xml</include> > > <include>ossec_rules.xml</include> > > </rules> > > > > Using just those 2 files allows OSSEC to start for me. > You can check the ossec.log for more information on why it failed. I'm > guessing something in local_rules.xml that relied on a rule that was > removed. > > > > > > > El martes, 2 de mayo de 2017, 10:24:23 (UTC+2), Huc Manté Miras > escribió: > >> > >> Sorry man in the my last comment, i send the information. > >> > >> El miércoles, 26 de abril de 2017, 21:01:24 (UTC+2), dan (ddpbsd) > >> escribió: > >>> > >>> On Wed, Apr 26, 2017 at 5:42 AM, Huc Manté Miras <hucm...@gmail.com> > >>> wrote: > >>> > I try to remove all includes but not work :( > >>> > > >>> > >>> You provided me with no information to help correct the issue. > >>> > >>> > El martes, 25 de abril de 2017, 17:41:56 (UTC+2), dan (ddpbsd) > >>> > escribió: > >>> >> > >>> >> > >>> >> > >>> >> On Apr 25, 2017 11:25 AM, "Huc Manté Miras" <hucm...@gmail.com> > wrote: > >>> >> > >>> >> Hello, > >>> >> > >>> >> I try to disable all rules to ossec server. > >>> >> > >>> >> This is possible? > >>> >> > >>> >> > >>> >> Have you tried removing the rules from the server's ossec.conf? > >>> >> > >>> >> > >>> >> > >>> >> Thanks!! > >>> >> > >>> >> -- > >>> >> > >>> >> --- > >>> >> You received this message because you are subscribed to the Google > >>> >> Groups > >>> >> "ossec-list" group. > >>> >> To unsubscribe from this group and stop receiving emails from it, > send > >>> >> an > >>> >> email to ossec-list+...@googlegroups.com. > >>> >> For more options, visit https://groups.google.com/d/optout. > >>> >> > >>> >> > >>> > -- > >>> > > >>> > --- > >>> > You received this message because you are subscribed to the Google > >>> > Groups > >>> > "ossec-list" group. > >>> > To unsubscribe from this group and stop receiving emails from it, > send > >>> > an > >>> > email to ossec-list+...@googlegroups.com. > >>> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.