Hi,
To ignore failed user authentications from a certain user I put the
following in the local_rules.xml
<group name="ExcludeUserX">
<rule id="117000" level="0">
<if_sid>2501</if_sid> <!-- syslog_rules.xml -->
<match>Authentication failed for userX</match>
<description>ignore not changed password UserX</description>
</rule>
</group>
After saving en restarting the ossec service I get the follow error in the
ossec log.
2014/08/05 12:12:28 rules_list: Signature ID '2501' not found. Invalid
'if_sid'.
I checked:
My rule id is okay
sid 2501 does exist in syslog_rules.xml
Can someone help me?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
