rules error

Support/Development for OSSEC
tonny
Forum User
Forum User
Posts: 7
Joined: Fri Apr 09, 2021 8:56 am
Location: Sweden

rules error

Unread post by tonny »

Hi,

I'm testing customizing the processing of my firewall logs. I started with creating a decoder etc/local_decoder.xml

Code: Select all

<decoder name="cisco-asa">
  <prematch_pcre2>%ASA-\d-\d{6}</prematch_pcre2>
</decoder>

<decoder name="cisco_asa-syslogdecode">
  <parent>cisco-asa</parent>
  <regex>%ASA-(\S+)-(\S+):</regex>
  <order>cisco_prio, cisco_code</order>
</decoder>
which works according to /var/ossec/bin/ossec-logtest and gives me the two values I want
Next I tried rules in rules/local_rules.xml:

Code: Select all

<group name="local,syslog,errors,">
   <rule id="100000" level="0">
     <decoded_as>cisco-asa</decoded_as>
     <description>cisco asa</description>
   </rule>
</group>
But that always gives me the error

Code: Select all

rules_list: Category '1' not found. Invalid 'category'.
Any ideas what i am missing here??

//Tonny
tonny
Forum User
Forum User
Posts: 7
Joined: Fri Apr 09, 2021 8:56 am
Location: Sweden

Re: rules error

Unread post by tonny »

not in the habit of answering my own questions ..... but ....
seems like the local_rule was invoked at the wrong place in etc/ossec.conf
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: rules error

Unread post by scott »

Yeah that was an ordering thing all right, glad you got it sussed out!
Post Reply