ossec.conf issue
358 views
Skip to first unread message
Costantino Davies
Mar 8, 2024, 9:01:33 AM3/8/24
to Wazuh | Mailing List
hi everyone, i'm hving truble to update my ossec.cof with this few lines
<!-- Decoders Configuration -->
<decoders>
<decoder name="microsoft-windows-security-auditing">
<parent>win</parent>
<prematch>Microsoft-Windows-Security-Auditing</prematch>
</decoder>
<decoder name="microsoft-windows-security-auditing-message">
<parent>microsoft-windows-security-auditing</parent>
<match>message":"\"A network share object was checked to see whether client can be granted desired access.</match>
</decoder>
</decoders>
<decoders>
<decoder name="microsoft-windows-security-auditing">
<parent>win</parent>
<prematch>Microsoft-Windows-Security-Auditing</prematch>
</decoder>
<decoder name="microsoft-windows-security-auditing-message">
<parent>microsoft-windows-security-auditing</parent>
<match>message":"\"A network share object was checked to see whether client can be granted desired access.</match>
</decoder>
</decoders>
but i constanlty receving this kind of error, any idea?
Could not update configuration (1908) - Error validating configuration: (1230): Invalid element in the configuration: 'decoders'., (1202): Configuration error at 'etc/ossec.conf'.
returnErrorInstance@https://192.168.123.150/47302/bundles/plugin/wazuh/wazuh.plugin.js:1:186528
_callee2$@https://192.168.123.150/47302/bundles/plugin/wazuh/wazuh.plugin.js:1:184748
tryCatch@https://192.168.123.150/47302/bundles/plugin/indexManagementDashboards/indexManagementDashboards.plugin.js:1:246869
makeInvokeMethod/<@https://192.168.123.150/47302/bundles/plugin/indexManagementDashboards/indexManagementDashboards.plugin.js:1:249417
defineIteratorMethods/</<@https://192.168.123.150/47302/bundles/plugin/indexManagementDashboards/indexManagementDashboards.plugin.js:1:247644
asyncGeneratorStep@https://192.168.123.150/47302/bundles/plugin/wazuh/wazuh.plugin.js:1:178377
_next@https://192.168.123.150/47302/bundles/plugin/wazuh/wazuh.plugin.js:1:178706
returnErrorInstance@https://192.168.123.150/47302/bundles/plugin/wazuh/wazuh.plugin.js:1:186528
_callee2$@https://192.168.123.150/47302/bundles/plugin/wazuh/wazuh.plugin.js:1:184748
tryCatch@https://192.168.123.150/47302/bundles/plugin/indexManagementDashboards/indexManagementDashboards.plugin.js:1:246869
makeInvokeMethod/<@https://192.168.123.150/47302/bundles/plugin/indexManagementDashboards/indexManagementDashboards.plugin.js:1:249417
defineIteratorMethods/</<@https://192.168.123.150/47302/bundles/plugin/indexManagementDashboards/indexManagementDashboards.plugin.js:1:247644
asyncGeneratorStep@https://192.168.123.150/47302/bundles/plugin/wazuh/wazuh.plugin.js:1:178377
_next@https://192.168.123.150/47302/bundles/plugin/wazuh/wazuh.plugin.js:1:178706
Olusegun Adenrele Oyebo
Mar 8, 2024, 10:32:44 AM3/8/24
to Wazuh | Mailing List
Hello Costantino,
Thanks for reaching out.
You're getting the error because you're not supposed to update the Wazuh manager's /var/ossec/etc/ossec.conf file with your decoders. Since you're creating a custom decoder, you can configure your decoder in the file /var/ossec/etc/decoders/local_decoder.xml or you can do your configuration on the dashboard too which also enables you to test your decoders as you configure and finetune them.
Thanks for reaching out.
You're getting the error because you're not supposed to update the Wazuh manager's /var/ossec/etc/ossec.conf file with your decoders. Since you're creating a custom decoder, you can configure your decoder in the file /var/ossec/etc/decoders/local_decoder.xml or you can do your configuration on the dashboard too which also enables you to test your decoders as you configure and finetune them.
- On your dashboard, go to Management => Decoder and click Custom decoders.
- Click on the local_decoder.xml , configure your decoders, save them and also test them accordingly to be sure they meet your need (screenshot attached).
- https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
- https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
- https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Best Regards.
Reply all
Reply to author
Forward
0 new messages