Hi Guys! I have the same problem. After creating a rule file for pfsense.
I created a decoder but I had no problem with it, it's working. The error only appeared after the rule file was created. Does anyone know how to solve it? Em terça-feira, 2 de dezembro de 2014 17:34:18 UTC-3, dan (ddpbsd) escreveu: > > > On Dec 2, 2014 3:31 PM, "Bill Price" <[email protected] <javascript:>> > wrote: > > > > Yes and No. The rules files are in /var/ossec/etc/rules. I did not put > them there. But when ever ossec-logtest finds any rule, I get: rules_list: > Category '1' not found. Invalid 'category' > > > > If the soutce has been modified this will be even harder to diagnose. > Perhaps you can find out what your predecessor did? > > > On Tuesday, December 2, 2014 3:06:33 PM UTC-5, dan (ddpbsd) wrote: > >> > >> On Tue, Dec 2, 2014 at 3:03 PM, Bill Price <[email protected]> > wrote: > >> > No. I get: ossec-testrule(1220): ERROR: Error loading the rules: > >> > 'rules_config.xml' > >> > > >> > >> Do you have: > >> <rules> > >> <include>rules_config.xml</include> > >> in your ossec.conf? > >> > >> Or is that file missing from /var/ossec/rules? > >> > >> > On Tuesday, December 2, 2014 2:49:38 PM UTC-5, dan (ddpbsd) wrote: > >> >> > >> >> On Tue, Dec 2, 2014 at 2:46 PM, Bill Price <[email protected]> > wrote: > >> >> > I initially made changes to local_rules.xml and local_decoder.xml. > I got > >> >> > the > >> >> > same error. I backed those files out. I tried moving all the > rule > >> >> > files > >> >> > out of the rule directory but syslog_rules, but got the same > error. > >> >> > The > >> >> > only change I've made was adding a "rule dir" specification to > >> >> > ossec.conf. > >> >> > I was told that the installation was fresh, but there could be a > chance > >> >> > someone else has changed something > >> >> > > >> >> > >> >> If you remove this "rule dir specification" thing, does it work? > >> >> > >> >> > On Tuesday, December 2, 2014 2:32:42 PM UTC-5, dan (ddpbsd) wrote: > >> >> >> > >> >> >> On Tue, Dec 2, 2014 at 2:29 PM, Bill Price <[email protected]> > > >> >> >> wrote: > >> >> >> > I ran ossec-logtest > >> >> >> > > >> >> >> > >> >> >> You made no changes to the OSSEC rules or decoders? Very strange, > I > >> >> >> haven't seen any other reports of this. What version of OSSEC did > you > >> >> >> install? Is this a local installation or server? > >> >> >> > >> >> >> I'll start looking through the code to see where that error could > have > >> >> >> come from. > >> >> >> > >> >> >> > On Tuesday, December 2, 2014 2:24:06 PM UTC-5, dan (ddpbsd) > wrote: > >> >> >> >> > >> >> >> >> On Tue, Dec 2, 2014 at 2:22 PM, Bill Price < > [email protected]> > >> >> >> >> wrote: > >> >> >> >> > I was asked to setup decoders and rules on a client. When I > run > >> >> >> >> > ossec-test, > >> >> >> >> > I get the following error message: > >> >> >> >> > > >> >> >> >> > rules_list: Category '1' not found. Invalid 'category' > >> >> >> >> > > >> >> >> >> > All the Categories in the rules xml are the standard one > (ids, > >> >> >> >> > syslog, > >> >> >> >> > firewall, web-log, squid, ossec or windows) > >> >> >> >> > > >> >> >> >> > Any ideas on what is wrong? > >> >> >> >> > > >> >> >> >> > >> >> >> >> What did you do? > >> >> >> >> > >> >> >> >> > -- > >> >> >> >> > > >> >> >> >> > --- > >> >> >> >> > You received this message because you are subscribed to the > Google > >> >> >> >> > Groups > >> >> >> >> > "ossec-list" group. > >> >> >> >> > To unsubscribe from this group and stop receiving emails > from it, > >> >> >> >> > send > >> >> >> >> > an > >> >> >> >> > email to [email protected]. > >> >> >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> >> > > >> >> >> > -- > >> >> >> > > >> >> >> > --- > >> >> >> > You received this message because you are subscribed to the > Google > >> >> >> > Groups > >> >> >> > "ossec-list" group. > >> >> >> > To unsubscribe from this group and stop receiving emails from > it, > >> >> >> > send > >> >> >> > an > >> >> >> > email to [email protected]. > >> >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > send > >> >> > an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
