On Thu, Aug 30, 2018 at 4:11 AM Fredrik Hilmersson <fredrik.hilmers...@gmail.com> wrote: > > Hello, > > The ruleset psad_rules.xml which is included in the 3.0.0 version is not by > default included in the ossec.conf file. When i add the the include: > <include>psad_rules.xml</include> within the <rule></rule><!-- rules global > entry --> I get the following error: > > ossec-testrule: INFO: Reading local decoder file. > rules_list: Category '1' not found. Invalid 'category'. > > It works by adding the rules to local_rules.xml, so that's no issue, but for > convenience and also to learn if i've done something incorrect I would > appreciate some help of the above issue. >
I'm not having any issues. <ossec_config> <!-- rules global entry --> <rules> <include>rules_config.xml</include> <include>pam_rules.xml</include> <include>sshd_rules.xml</include> <include>telnetd_rules.xml</include> <include>syslog_rules.xml</include> <include>arpwatch_rules.xml</include> <include>symantec-av_rules.xml</include> <include>symantec-ws_rules.xml</include> <include>pix_rules.xml</include> <include>named_rules.xml</include> <include>smbd_rules.xml</include> <include>vsftpd_rules.xml</include> <include>pure-ftpd_rules.xml</include> <include>proftpd_rules.xml</include> <include>ms_ftpd_rules.xml</include> <include>ftpd_rules.xml</include> <include>hordeimp_rules.xml</include> <include>roundcube_rules.xml</include> <include>wordpress_rules.xml</include> <include>cimserver_rules.xml</include> <include>vpopmail_rules.xml</include> <include>vmpop3d_rules.xml</include> <include>courier_rules.xml</include> <include>web_rules.xml</include> <include>web_appsec_rules.xml</include> <include>apache_rules.xml</include> <include>nginx_rules.xml</include> <include>php_rules.xml</include> <include>mysql_rules.xml</include> <include>postgresql_rules.xml</include> <include>ids_rules.xml</include> <include>squid_rules.xml</include> <include>firewall_rules.xml</include> <include>apparmor_rules.xml</include> <include>cisco-ios_rules.xml</include> <include>netscreenfw_rules.xml</include> <include>sonicwall_rules.xml</include> <include>postfix_rules.xml</include> <include>sendmail_rules.xml</include> <include>imapd_rules.xml</include> <include>mailscanner_rules.xml</include> <include>dovecot_rules.xml</include> <include>ms-exchange_rules.xml</include> <include>racoon_rules.xml</include> <include>vpn_concentrator_rules.xml</include> <include>spamd_rules.xml</include> <include>msauth_rules.xml</include> <include>mcafee_av_rules.xml</include> <include>trend-osce_rules.xml</include> <include>ms-se_rules.xml</include> <!-- <include>policy_rules.xml</include> --> <include>zeus_rules.xml</include> <include>solaris_bsm_rules.xml</include> <include>vmware_rules.xml</include> <include>ms_dhcp_rules.xml</include> <include>asterisk_rules.xml</include> <include>ossec_rules.xml</include> <include>attack_rules.xml</include> <include>openbsd_rules.xml</include> <include>clam_av_rules.xml</include> <include>dropbear_rules.xml</include> <include>sysmon_rules.xml</include> <include>opensmtpd_rules.xml</include> <include>exim_rules.xml</include> <include>openbsd-dhcpd_rules.xml</include> <include>dnsmasq_rules.xml</include> <include>psad_rules.xml</include> <!-- HERE IT IS --> <include>local_rules.xml</include> </rules> </ossec_config> <!-- rules global entry --> [root@rossak ossec]# /var/ossec/bin/ossec-logtest -t 2018/08/30 07:18:54 ossec-testrule: INFO: Reading local decoder file. [root@rossak ossec]# > Kind regards, > Fredrik > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.