Better error message for "ossec-testrule: currently_rule not set!" #2093
Comments
|
Have you got an example of the bad rule you were creating so I can use that for a test case/regression testing? |
|
AFAICT it should be trivially reproducible by taking a rule set that has a rule with |
|
You mean the parent referred by the if_sid? A rule without an if_sid is just a regular rule |
|
No. It was not supposed to be a normal rule, and apparently it was not a complete "regular rules" either, because... then it would not have wrecked havoc as described in the OP. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I stumbled upon this error when debugging a configuration problem with
ossec-logtestwhere a rule was missing theif_sidwhich seems to be absolutely necessary and stops the whole ossec setup from working in that instance. Documentation is lacking as well regardingif_sidbut the most useful thing would be to improve logging output imho - and not only in the logtest application because one has to find out about this first. I completely unnecessarily wasted several hours due to this problem. This report is also food for search engines.I still have to use v3.6.0 but from the looks of it the respective message is still the same in HEAD as it has not changed since 2015.
The text was updated successfully, but these errors were encountered: