On Mon, Oct 31, 2016 at 2:02 PM, Brad <tech4pat...@gmail.com> wrote: > Nice find Pedro! That was the problem. I wish the documentation had said > that it was regex based. Lol. At least it's working now. :) Many thanks >
I've created a pull request to hopefully fix the documentation: https://github.com/ossec/ossec-docs/pull/186 > > On Saturday, October 29, 2016 at 3:53:53 PM UTC-5, Brad wrote: >> >> Hi all, >> >> I'm setting up an AR and it works if I only use 1 rules_group or if I use >> multiple rules_id but not if I use multiple rules_group. Here is the code. >> >> WORKS: >> <active-response> >> <command>ipv6-subnet-log</command> >> <location>local</location> >> <rules_group>authentication_failed</rules_group> >> </active-response> >> >> WORKS: >> <active-response> >> <command>ipv6-subnet-log</command> >> <location>local</location> >> <rules_id>5716,5718</rules_id> >> </active-response> >> >> DOESN'T WORK: >> <active-response> >> <command>ipv6-subnet-log</command> >> <location>local</location> >> <rules_group>authentication_failed,invalid_login</rules_group> >> </active-response> >> >> According to the documentation that should work but it doesn't. Any idea >> why? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
