The following rules worked before, but now I get an error:
<!-- Ignore rule 18139 -->
<rule id="100117" level="0">
<if_sid>18139</if_sid>
<options>no_log</options>
<regex>User name:\s+\.*\$\s+</regex>
<description>Windows login failure for workstation - user name ends in $
(ignored)</description>
</rule>
[root@ossec etc]# /opt/ossec/bin/ossec-logtest
2014/07/01 08:53:27 ossec-testrule: INFO: Reading local decoder file.
2014/07/01 08:53:27 ossec-analysisd(1227): ERROR: Error applying XML
variables 'rules//local_rules.xml': XMLERR: Unknown variable: '\s+'..
2014/07/01 08:53:27 ossec-testrule(1220): ERROR: Error loading the rules:
'local_rules.xml'.
This might be fallout from the regex changes.
It is. Key bit is "Unknown veriable". We fixed this in master, but I
will check. I will also add this to our testing to make sure things
like tis do not happen.
Just tested and confirmed this is fixed in master. I am going to start
the process of cutting a new release tonight to get this fix out.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.