On Tue, Dec 12, 2017 at 8:35 AM, <[email protected]> wrote: > Hi Guys! > > I have the same problem. After creating a rule file for pfsense. > > I created a decoder but I had no problem with it, it's working. The error > only appeared after the rule file was created. > > > Does anyone know how to solve it? >
Can you provide the rule? > > Em terça-feira, 2 de dezembro de 2014 17:34:18 UTC-3, dan (ddpbsd) escreveu: >> >> >> On Dec 2, 2014 3:31 PM, "Bill Price" <[email protected]> wrote: >> > >> > Yes and No. The rules files are in /var/ossec/etc/rules. I did not put >> > them there. But when ever ossec-logtest finds any rule, I get: rules_list: >> > Category '1' not found. Invalid 'category' >> > >> >> If the soutce has been modified this will be even harder to diagnose. >> Perhaps you can find out what your predecessor did? >> >> > On Tuesday, December 2, 2014 3:06:33 PM UTC-5, dan (ddpbsd) wrote: >> >> >> >> On Tue, Dec 2, 2014 at 3:03 PM, Bill Price <[email protected]> >> >> wrote: >> >> > No. I get: ossec-testrule(1220): ERROR: Error loading the rules: >> >> > 'rules_config.xml' >> >> > >> >> >> >> Do you have: >> >> <rules> >> >> <include>rules_config.xml</include> >> >> in your ossec.conf? >> >> >> >> Or is that file missing from /var/ossec/rules? >> >> >> >> > On Tuesday, December 2, 2014 2:49:38 PM UTC-5, dan (ddpbsd) wrote: >> >> >> >> >> >> On Tue, Dec 2, 2014 at 2:46 PM, Bill Price <[email protected]> >> >> >> wrote: >> >> >> > I initially made changes to local_rules.xml and local_decoder.xml. >> >> >> > I got >> >> >> > the >> >> >> > same error. I backed those files out. I tried moving all the >> >> >> > rule >> >> >> > files >> >> >> > out of the rule directory but syslog_rules, but got the same >> >> >> > error. >> >> >> > The >> >> >> > only change I've made was adding a "rule dir" specification to >> >> >> > ossec.conf. >> >> >> > I was told that the installation was fresh, but there could be a >> >> >> > chance >> >> >> > someone else has changed something >> >> >> > >> >> >> >> >> >> If you remove this "rule dir specification" thing, does it work? >> >> >> >> >> >> > On Tuesday, December 2, 2014 2:32:42 PM UTC-5, dan (ddpbsd) wrote: >> >> >> >> >> >> >> >> On Tue, Dec 2, 2014 at 2:29 PM, Bill Price >> >> >> >> <[email protected]> >> >> >> >> wrote: >> >> >> >> > I ran ossec-logtest >> >> >> >> > >> >> >> >> >> >> >> >> You made no changes to the OSSEC rules or decoders? Very strange, >> >> >> >> I >> >> >> >> haven't seen any other reports of this. What version of OSSEC did >> >> >> >> you >> >> >> >> install? Is this a local installation or server? >> >> >> >> >> >> >> >> I'll start looking through the code to see where that error could >> >> >> >> have >> >> >> >> come from. >> >> >> >> >> >> >> >> > On Tuesday, December 2, 2014 2:24:06 PM UTC-5, dan (ddpbsd) >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> On Tue, Dec 2, 2014 at 2:22 PM, Bill Price >> >> >> >> >> <[email protected]> >> >> >> >> >> wrote: >> >> >> >> >> > I was asked to setup decoders and rules on a client. When I >> >> >> >> >> > run >> >> >> >> >> > ossec-test, >> >> >> >> >> > I get the following error message: >> >> >> >> >> > >> >> >> >> >> > rules_list: Category '1' not found. Invalid 'category' >> >> >> >> >> > >> >> >> >> >> > All the Categories in the rules xml are the standard one >> >> >> >> >> > (ids, >> >> >> >> >> > syslog, >> >> >> >> >> > firewall, web-log, squid, ossec or windows) >> >> >> >> >> > >> >> >> >> >> > Any ideas on what is wrong? >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> What did you do? >> >> >> >> >> >> >> >> >> >> > -- >> >> >> >> >> > >> >> >> >> >> > --- >> >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> >> > Google >> >> >> >> >> > Groups >> >> >> >> >> > "ossec-list" group. >> >> >> >> >> > To unsubscribe from this group and stop receiving emails >> >> >> >> >> > from it, >> >> >> >> >> > send >> >> >> >> >> > an >> >> >> >> >> > email to [email protected]. >> >> >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> > >> >> >> >> > -- >> >> >> >> > >> >> >> >> > --- >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> > Google >> >> >> >> > Groups >> >> >> >> > "ossec-list" group. >> >> >> >> > To unsubscribe from this group and stop receiving emails from >> >> >> >> > it, >> >> >> >> > send >> >> >> >> > an >> >> >> >> > email to [email protected]. >> >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
