ossec-analysisd: Invalid decoder name

[repquota]

Hi,

I have another problem. I added new file to my ossec rules and after reload ossec i have in ossec logs something like:

2015/07/10 21:35:28 ossec-testrule: INFO: Reading local decoder file.

2015/07/10 21:35:28 ossec-analysisd: Invalid decoder name: 'usermod'.

2015/07/10 21:35:28 ossec-testrule(1220): ERROR: Error loading the rules: 'usermod_rules.xml'.

my decoder on decoder.xml below:

<decoder name="usermod">

  <program_name>^usermod</program_name>

</decoder>

<decoder name="usermod-locked">

  <parent>usermod</parent>

  <prematch>^lock \S+ </prematch>

  <regex offset="after_prematch">^user (\S+) password$</regex>

  <order>user, srcip</order>

</decoder>

and my usermod_rules.xml below:

<group name="usermod">

<rule id="100020" level="2">

<decoded_as>usermod</decoded_as>

<description>USERMOD messages grouped.</description>

</rule>

<rule id="100021" level="10">

<if_sid>100020</if_sid>

<match>lock user</match>

<description>Usser account locked</description>

</rule>

 of course I added file name in /var/ossec/etc/ossec in <rules> block

Where is a mistake ? What am I doing wrong ?

[Brent Morris]

I don't see that you closed the <group name="usermod"> section of your xml with a </group>

That might be it!