Atomicorp

Security for Everyone
https://forums.atomicorp.com/

rules error

https://forums.atomicorp.com/viewtopic.php?t=9006

Page 1 of 1

rules error

Posted: Thu Jul 01, 2021 4:52 am
by tonny
Hi,

I'm testing customizing the processing of my firewall logs. I started with creating a decoder etc/local_decoder.xml

Code: Select all

<decoder name="cisco-asa">
  <prematch_pcre2>%ASA-\d-\d{6}</prematch_pcre2>
</decoder>

<decoder name="cisco_asa-syslogdecode">
  <parent>cisco-asa</parent>
  <regex>%ASA-(\S+)-(\S+):</regex>
  <order>cisco_prio, cisco_code</order>
</decoder>
which works according to /var/ossec/bin/ossec-logtest and gives me the two values I want
Next I tried rules in rules/local_rules.xml:

Code: Select all

<group name="local,syslog,errors,">
   <rule id="100000" level="0">
     <decoded_as>cisco-asa</decoded_as>
     <description>cisco asa</description>
   </rule>
</group>
But that always gives me the error

Code: Select all

rules_list: Category '1' not found. Invalid 'category'.
Any ideas what i am missing here??

//Tonny

Re: rules error

Posted: Thu Jul 01, 2021 7:53 am
by tonny
not in the habit of answering my own questions ..... but ....
seems like the local_rule was invoked at the wrong place in etc/ossec.conf

Re: rules error

Posted: Thu Jul 01, 2021 9:24 am
by scott
Yeah that was an ordering thing all right, glad you got it sussed out!
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited