Re: [ossec-list] Re: Custom decoder failing to load
On Mon, Mar 23, 2020 at 8:35 AM Olivier Ragain wrote: > > Hi > Sorry for the delay in answering. > > The error I get: > 2020/03/23 12:28:25 ossec-testrule: INFO: Reading decoder file > etc/custom/local_decoder.xml. > 2020/03/23 12:28:25 ossec-analysisd(2106): ERROR: Error adding decoder plugin. > The configuration: > > etc/custom > ... Are you planning on using the shipped decoder.xml file? If so, you'll need to add it to the config. > > Thanks > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/c942ab6b-6d80-4e24-8b37-6a31d8d196cf%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMoPftx83328Q9c9Ui5cj%2B0Y9ABthGn_bAzroZR4AW4xfA%40mail.gmail.com.
[ossec-list] Re: Custom decoder failing to load
Hi Sorry for the delay in answering. The error I get: 2020/03/23 12:28:25 ossec-testrule: INFO: Reading decoder file etc/custom/local_decoder.xml. 2020/03/23 12:28:25 ossec-analysisd(2106): ERROR: Error adding decoder plugin. The configuration: etc/custom ... Thanks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/c942ab6b-6d80-4e24-8b37-6a31d8d196cf%40googlegroups.com.
Re: [ossec-list] Re: Custom decoder failing to load
On Mon, Mar 16, 2020 at 8:43 AM dan (ddp) wrote: > > On Mon, Mar 16, 2020 at 8:16 AM Olivier Ragain > wrote: > > > > Hi, > > So now the question is, why does it not work when i use: > > decoders configuration in the ossec.conf file ? > > I see that it is loading the file from the logs, but it fails to log the > > decoder information itself and then ossec wont start. > > Can anyone explain how to use the decoder_dir configuration element ? > > I want to put all custom rules / decoders / lists in their own folder so > > that when updates happen, I dont get wiped or impacted for some update > > reasons. > > Thanks > > > > Can you provide the configuration you tried? > I haven't used decoder_dir in a while, but it always worked in the past for > me. > Using this allowed `ossec-logtest -t` to work for me: etc/decoder.xml etc/local_decoder.xml etc/decoders.d > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > To view this discussion on the web visit > > https://groups.google.com/d/msgid/ossec-list/f0d7b226-0fbe-4df8-9a23-c7759f18d347%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMrApEXMjXh6Fr%3DXgxWsQUg4zwTPFniyUWa%2Bd4wBhw1Xjg%40mail.gmail.com.
Re: [ossec-list] Re: Custom decoder failing to load
On Mon, Mar 16, 2020 at 8:16 AM Olivier Ragain wrote: > > Hi, > So now the question is, why does it not work when i use: > decoders configuration in the ossec.conf file ? I > see that it is loading the file from the logs, but it fails to log the > decoder information itself and then ossec wont start. > Can anyone explain how to use the decoder_dir configuration element ? > I want to put all custom rules / decoders / lists in their own folder so that > when updates happen, I dont get wiped or impacted for some update reasons. > Thanks > Can you provide the configuration you tried? I haven't used decoder_dir in a while, but it always worked in the past for me. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/f0d7b226-0fbe-4df8-9a23-c7759f18d347%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMpOT0bhnwKpy--GDoXqZ3KmwUDOs%3D95v295fC5g4Zs5MQ%40mail.gmail.com.
[ossec-list] Re: Custom decoder failing to load
Hi, So now the question is, why does it not work when i use: decoders configuration in the ossec.conf file ? I see that it is loading the file from the logs, but it fails to log the decoder information itself and then ossec wont start. Can anyone explain how to use the decoder_dir configuration element ? I want to put all custom rules / decoders / lists in their own folder so that when updates happen, I dont get wiped or impacted for some update reasons. Thanks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/f0d7b226-0fbe-4df8-9a23-c7759f18d347%40googlegroups.com.
[ossec-list] Re: Custom decoder failing to load
Hi, So, I've created the local_decoder.xml file in the etc folder and put my decoder code in it and it is working. I am using version 3.6.0 Thanks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/fc3b497c-5ec9-42b6-9456-670e35b3ec78%40googlegroups.com.
