{"id":84,"date":"2009-10-28T18:52:59","date_gmt":"2009-10-28T18:52:59","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=84"},"modified":"2020-07-01T18:56:56","modified_gmt":"2020-07-01T18:56:56","slug":"creating-a-separated-directory-for-testing-ossec-rules-config","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2009\/10\/creating-a-separated-directory-for-testing-ossec-rules-config\/","title":{"rendered":"Creating a separated directory for testing OSSEC rules\/config"},"content":{"rendered":"\n<p>A question that I often hear is how to use a separated directory for testing OSSEC rules and the configuration.<\/p>\n\n\n\n<p>The easiest way is by doing the follow:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>1. Choose the new directory to use as a test-base. In my case it is going to be \/tmp\/ossectest\n\n2. Create that directory and a few important sub-directories.\n\n# mkdir \/tmp\/ossectest\n# mkdir \/tmp\/ossectest\/etc\n# mkdir \/tmp\/ossectest\/queue\/\n# mkdir \/tmp\/ossectest\/queue\/fts\n# mkdir \/tmp\/ossectest\/rules\n\n3. Move over your configuration files, rules and decoders\n\n# cp -pr \/var\/ossec\/etc\/decoder.xml \/tmp\/ossectest\/etc\n# cp -pr \/var\/ossec\/etc\/ossec.conf \/tmp\/ossectest\/etc\n# cp -pr \/var\/ossec\/rules\/* \/tmp\/ossectest\/rules\/\n\n4. Run ossec-logtest using the new configuration and rules\n\n# \/var\/ossec\/bin\/ossec-logtest -D \/tmp\/ossectest\/ -c \/tmp\/ossectest\/etc\/ossec.conf\n\n5. Now you can modify the rules and configuration at \/tmp\/ossectest before moving over to the real running directory<\/code><\/pre>\n\n\n\n<p>If there is any error in the rules or in the configuration you will get the message:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># \/var\/ossec\/bin\/ossec-logtest -D \/tmp\/ossectest\/ -c \/tmp\/ossectest\/etc\/ossec.conf\n2009\/10\/28 12:40:27 ossec-config(1226): ERROR: Error reading XML file \u2018\/tmp\/ossectest\/etc\/ossec.conf\u2019: XML ERR: Element not closed: globalaa (line 7).\n2009\/10\/28 12:40:27 ossec-testrule(1202): ERROR: Configuration error at \u2018\/tmp\/ossectest\/etc\/ossec.conf\u2019. Exiting.<\/code><\/pre>\n\n\n\n<p>Otherwise you will be able to send any logs to logtest to test your rules.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A question that I often hear is how to use a separated directory for testing OSSEC rules and the configuration. The easiest way is by doing the follow: If there is any error in the rules or in the configuration you will get the message: Otherwise you will be able to send any logs to [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/84"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=84"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/84\/revisions"}],"predecessor-version":[{"id":85,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/84\/revisions\/85"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=84"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=84"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=84"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}