On Tue, Aug 5, 2014 at 9:24 AM, angel wings <[email protected]> wrote: > Hi Dan, thanks for your reaction. > > I re-entered the tekst. Also copy and pasted an other working rule etc. As > soon as I use the rulenumber 2501 or 2502 it gives the mentioned error. >
What version of OSSEC? Are you sure rule 2501 isn't disabled or something in your setup? Are you sure the syslog_rules.xml file is being loaded? Are you sure your local_rules.xml isn't being loaded before the syslog_rules.xml? Other than these things, I can't think of a reason this wouldn't work for you. > > > > Op dinsdag 5 augustus 2014 13:43:28 UTC+2 schreef dan (ddpbsd): >> >> On Tue, Aug 5, 2014 at 6:28 AM, angel wings <[email protected]> wrote: >> > Hi, >> > >> > To ignore failed user authentications from a certain user I put the >> > following in the local_rules.xml >> > >> > <group name="ExcludeUserX"> >> > <rule id="117000" level="0"> >> > <if_sid>2501</if_sid> <!-- syslog_rules.xml --> >> > <match>Authentication failed for userX</match> >> > <description>ignore not changed password UserX</description> >> > </rule> >> > </group> >> > >> > After saving en restarting the ossec service I get the follow error in >> > the >> > ossec log. >> > >> > 2014/08/05 12:12:28 rules_list: Signature ID '2501' not found. Invalid >> > 'if_sid'. >> > >> > I checked: >> > My rule id is okay >> > sid 2501 does exist in syslog_rules.xml >> > >> > Can someone help me? >> > >> >> Copy and pasting that rule works fine for me (I ignored the group >> stuff). Try re-entering it. >> >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
