rules error

tonny · Unread post by **tonny** » Thu Jul 01, 2021 4:52 am

Hi,

I'm testing customizing the processing of my firewall logs. I started with creating a decoder etc/local_decoder.xml

Code: Select all

<decoder name="cisco-asa">
  <prematch_pcre2>%ASA-\d-\d{6}</prematch_pcre2>
</decoder>

<decoder name="cisco_asa-syslogdecode">
  <parent>cisco-asa</parent>
  <regex>%ASA-(\S+)-(\S+):</regex>
  <order>cisco_prio, cisco_code</order>
</decoder>

which works according to /var/ossec/bin/ossec-logtest and gives me the two values I want
Next I tried rules in rules/local_rules.xml:

Code: Select all

<group name="local,syslog,errors,">
   <rule id="100000" level="0">
     <decoded_as>cisco-asa</decoded_as>
     <description>cisco asa</description>
   </rule>
</group>

But that always gives me the error

Code: Select all

rules_list: Category '1' not found. Invalid 'category'.

Any ideas what i am missing here??

//Tonny

tonny · Unread post by **tonny** » Thu Jul 01, 2021 7:53 am

not in the habit of answering my own questions ..... but ....
seems like the local_rule was invoked at the wrong place in etc/ossec.conf

Unread post by **scott** » Thu Jul 01, 2021 9:24 am

Yeah that was an ordering thing all right, glad you got it sussed out!

Atomicorp

rules error

rules error

Re: rules error

Re: rules error