Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Wed, 25 Nov 2015 11:20:01 -0800 

On Wednesday, November 25, 2015 at 1:46:15 PM UTC-5, LostInThe Tubez wrote:
>
> On the OSSEC server, open /var/ossec/rules/syslog_rules.xml. Search for 
> rule 1002, right there towards the top. Note the options element, which 
> contains alert_by_email. That option tells OSSEC to ignore your 
> email_alert_level and just send an email every time this rule matches.  As 
> you have seen, rule 1002 is a catch-all heuristics rule that attempts to 
> identify problems in logs based on certain keywords. 
>
>
>
Thank you, that explains why level 2 alerts are generating the emails for 
the "BAD_WORDS". I was under the impression that the default level of 7 was 
for all types of rules, but that is clear now.

I'm now left with the feeling of that is the main cause of these alerts 
coming in, even though I have the filters in local_rules.xml, level 2 
alerts are still coming in. Even when logtest shows that it should stop. 
Here is another simple example of a local_rule working for logtest, but 
still generating email alerts .

/var/ossec/rules/local_rules.xml
  <rule id="100010" level="0">
    <program_name>accelerator</program_name>
    <regex>Update peer failed with code 22</regex>
    <description>Ignore Expand Warnings</description>
  </rule>

/var/ossec/bin/ossec-logtest
2015/11/25 19:15:23 ossec-testrule: INFO: Reading local decoder file.
2015/11/25 19:15:24 ossec-testrule: INFO: Started (pid: 6713).
ossec-testrule: Type one log per line.

Nov 25 19:11:45 x.x.x.x accelerator[4124]:     Update peer failed with code 
22.


**Phase 1: Completed pre-decoding.
       full event: 'Nov 25 19:11:45 x.x.x.x accelerator[4124]:     Update 
peer failed with code 22.'
       hostname: 'x.x.x.x'
       program_name: 'accelerator'
       log: '    Update peer failed with code 22.'

**Phase 2: Completed decoding.
       No decoder matched.

**Phase 3: Completed filtering (rules).
       Rule id: '100010'
       Level: '0'
       Description: 'Ignore Expand Warnings'


So, even though logtest shows it will be a Level: '0', I still get an email 
alert as:

Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to