On Tue, Nov 27, 2012 at 2:42 AM, Shaun <saravana...@gmail.com> wrote: > Hi All , > > I'm trying my hand at writing ossec rules > > i created a custom rule to capture failed login attempts on linux machine in > /var/ossec/rules/local_rules.xml > > <group name="syslog,sshd,"> > <rule id="100123" level="10" frequency="3"> > <match>^authentication failure</match> > <group>authentication_failed</group> > <description>Failed login attempts </description> > </rule> > </group> > > and when i restart ossec service i get the following error , > > ossec-syscheckd(1210):Error:Queue '/var/ossec/queue/ossec/queue' not > accessible : 'connection refused' > > can someone help me identify what went wrong > > not jus this when i tried modifying the alert frequency of an event , i get > the same error > > for example ssh_successful l > > i copied the following from syslog_rules.xml file to local_rules.xml > > <rule id="5402" level="3"> > <if_sid>5400</if_sid> > <match> ; USER=root ; COMMAND=</match> > <description>Successful sudo to ROOT executed</description> > </rule> > > on local_rules.xml file i modified it as > > <rule id="5402" level="3" frequency="15" overwrite="yes"> > <if_sid>5400</if_sid> > <match> ; USER=root ; COMMAND=</match> > <description>Successful sudo to ROOT executed</description> > </rule> > > i get the same error (ossec-syscheckd(1210):Error:Queue > '/var/ossec/queue/ossec/queue' not accessible : 'connection refused') on > restarting OSSEC > > pl assist > > regards > Shaun > > >
The error usually means you did something wrong in the rules. Run `/var/ossec/bin/ossec-logtest -t` That might give you a clue. For instance, with 100123 I get: # /var/ossec/bin/ossec-logtest -t 2012/11/27 09:00:56 ossec-testrule: INFO: Reading local decoder file. 2012/11/27 09:00:56 ossec-analysisd: Invalid use of frequency/context options. Missing if_matched on rule '100123'. 2012/11/27 09:00:56 ossec-testrule(1220): ERROR: Error loading the rules: 'local_rules.xml'. So you need an if_matched statement for the frequency to work. So maybe something like <rule id="100123" level="0"> <match>^authentication failure</match> <group>authentication_failed</group> <description>Authentication failure group rule.</description> </rule> <rule id="100124" level="10" frequency="3" timeframe="120"> <if_matched_sid>100123</if_matched_sid> <description>3 failures in 2 minutes!</description> </rule> With that I get success: # /var/ossec/bin/ossec-logtest -t 2012/11/27 09:03:51 ossec-testrule: INFO: Reading local decoder file.