Hi, did you create a new rule with "if_group"?. Could you paste here the full output of logtest?
Here an example of "if_group" (local_rules.xml): <!-- Feb 27 12:57:40 LinMV sshd[1552]: pam_unix(sshd:session): session opened for user root by (uid=0) --> <group name="test,"> <rule id="100002" level="4"> <if_group>authentication_success</if_group> <group>authentication_success</group> <description>Hi, this is an authentication_success</description> </rule> </group> Feb 27 12:57:40 LinMV sshd[1552]: pam_unix(sshd:session): session opened for user root by (uid=0) **Phase 1: Completed pre-decoding. full event: 'Feb 27 12:57:40 LinMV sshd[1552]: pam_unix(sshd:session): session opened for user root by (uid=0)' hostname: 'LinMV' program_name: 'sshd' log: 'pam_unix(sshd:session): session opened for user root by (uid=0)' **Phase 2: Completed decoding. decoder: 'pam' **Phase 3: Completed filtering (rules). Rule id: '100002' Level: '4' Description: 'Hi, this is an authentication_success' **Alert to be generated. Regards. On Saturday, February 27, 2016 at 6:20:39 AM UTC+1, Barry Kaplan wrote: > > I made an attempt to trim down the rules but ended up with the following > error: > > 2016/02/27 05:05:24 rules_list: Group 'authentication_success' not found. > Invalid 'if_group' > > Do rules need to loaded in a specific order, or did I remove a file that > is depended on by another file? In either case, is there way to determine > the dependencies? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.