You are running an older version of ossec than the ruleset in git. <match> was changed to <pcre2> here: https://github.com/ossec/ossec-rules/commit/15b7ad93ffe4f89d9122337ed93720ff294d81e0
The easiest thing to do is to find your existing rule 1009 from your existing ruleset, and copy that. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/e0d773fd-c8c3-4d78-b3d2-8aff78b803a8n%40googlegroups.com.
