Hi, I tried to do this, but I'm getting:
ERROR: Parent decoder name invalid: 'rootcheck' ERROR: Error adding decoder plugin I don't see the rootcheck decoder within decoder.xml as well, any ideas? Thanks again for the help! On Wednesday, April 5, 2017 at 12:26:31 PM UTC-7, Rob Williams wrote: > > Hi all, > > I'm running into an issue where rule 510 is triggering and I'm getting > spammed with alerts but I can't seem to tune it correctly. What's weird is > that I am still getting alerted for rule 510 for this log, but I can't > figure out how to get that to show in logtest. Basically, I am getting > spammed with rule 510 and trying to filter it down more and here is what > happens when I enter the log in logtest: .... any ideas on how to fix > this? > > **Phase 1: Completed pre-decoding. > > full event: 'File '/filepath/' is owned by root and has written > permissions to anyone.' > > hostname: 'hostname' > > program_name: '(null)' > > log: 'File '/filepath/' is owned by root and has written > permissions to anyone.' > > > **Phase 2: Completed decoding. > > decoder: 'sample_decoder_setup' > > id: '/filepath/' > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.