OSSEC 2.8 issue with local_rules.xml

[Bill Soverns]

Upgraded to 2.8(Linux) this morning and the local_rules.xml will not load.  Getting the error Attribute 'ID' has no value.  Nothing was changed in the local rules file before or after the upgrade and I see nothing wrong with the syntax.  Server will run without local_rules just fine.  Please advise

[dan (ddp)]

Provide the file so we can try and find the problem?

>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Bill Soverns]

Attached local_rules file.  Error indicated line 35 as the source of the problem

[dan (ddp)]

On Tue, Jul 29, 2014 at 2:45 PM, Bill Soverns <sov...@olsdallas.com> wrote:
> Attached local_rules file. Error indicated line 35 as the source of the
> problem
>

So I opened it on another system and copied it to a text file. It
looks like there are spaces between some of your "id"s and "="s. Maybe
also between some "level"s and "="s.

>
> On Tuesday, July 29, 2014 12:59:12 PM UTC-5, Bill Soverns wrote:
>>
>> Upgraded to 2.8(Linux) this morning and the local_rules.xml will not load.
>> Getting the error Attribute 'ID' has no value. Nothing was changed in the
>> local rules file before or after the upgrade and I see nothing wrong with
>> the syntax. Server will run without local_rules just fine. Please advise
>>
>>

[dan (ddp)]

On Tue, Jul 29, 2014 at 3:06 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Tue, Jul 29, 2014 at 2:45 PM, Bill Soverns <sov...@olsdallas.com> wrote:
>> Attached local_rules file. Error indicated line 35 as the source of the
>> problem
>>
>
> So I opened it on another system and copied it to a text file. It
> looks like there are spaces between some of your "id"s and "="s. Maybe
> also between some "level"s and "="s.
>

The file also didn't have a </group> at the bottom.

[Bill Soverns]

I just forgot to copy the /group.  Is 2.8 non space tolerant?  I only ask because that file is currently running on 2.7 just fine.  I will go back and look things over very closely.

On Tuesday, July 29, 2014 12:59:12 PM UTC-5, Bill Soverns wrote:

[dan (ddp)]

On Tue, Jul 29, 2014 at 3:20 PM, Bill Soverns <sov...@olsdallas.com> wrote:
> I just forgot to copy the /group. Is 2.8 non space tolerant? I only ask
> because that file is currently running on 2.7 just fine. I will go back and
> look things over very closely.
>

I can look into the commit history if you need me to, but I almost
kinda remember something about being stricter about things like that.
I don't think spaces have ever been supported, they just weren't
rejected.

>
> On Tuesday, July 29, 2014 12:59:12 PM UTC-5, Bill Soverns wrote:
>>
>> Upgraded to 2.8(Linux) this morning and the local_rules.xml will not load.
>> Getting the error Attribute 'ID' has no value. Nothing was changed in the
>> local rules file before or after the upgrade and I see nothing wrong with
>> the syntax. Server will run without local_rules just fine. Please advise
>>
>>

[Bill Soverns]

Confirmed.  Spaces removed and problem fixed. Thanks for the assist.

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/TXvWUQnYFck/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.