On Wednesday, November 25, 2015 at 1:46:15 PM UTC-5, LostInThe Tubez wrote: > > On the OSSEC server, open /var/ossec/rules/syslog_rules.xml. Search for > rule 1002, right there towards the top. Note the options element, which > contains alert_by_email. That option tells OSSEC to ignore your > email_alert_level and just send an email every time this rule matches. As > you have seen, rule 1002 is a catch-all heuristics rule that attempts to > identify problems in logs based on certain keywords. > > > Thank you, that explains why level 2 alerts are generating the emails for the "BAD_WORDS". I was under the impression that the default level of 7 was for all types of rules, but that is clear now.
I'm now left with the feeling of that is the main cause of these alerts coming in, even though I have the filters in local_rules.xml, level 2 alerts are still coming in. Even when logtest shows that it should stop. Here is another simple example of a local_rule working for logtest, but still generating email alerts . /var/ossec/rules/local_rules.xml <rule id="100010" level="0"> <program_name>accelerator</program_name> <regex>Update peer failed with code 22</regex> <description>Ignore Expand Warnings</description> </rule> /var/ossec/bin/ossec-logtest 2015/11/25 19:15:23 ossec-testrule: INFO: Reading local decoder file. 2015/11/25 19:15:24 ossec-testrule: INFO: Started (pid: 6713). ossec-testrule: Type one log per line. Nov 25 19:11:45 x.x.x.x accelerator[4124]: Update peer failed with code 22. **Phase 1: Completed pre-decoding. full event: 'Nov 25 19:11:45 x.x.x.x accelerator[4124]: Update peer failed with code 22.' hostname: 'x.x.x.x' program_name: 'accelerator' log: ' Update peer failed with code 22.' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '100010' Level: '0' Description: 'Ignore Expand Warnings' So, even though logtest shows it will be a Level: '0', I still get an email alert as: Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.