On Thu, Jan 26, 2017 at 4:41 PM, Daniel B. <daniel.bald...@pokitdok.com> wrote: > > > > full_log: > > Files hidden inside directory > '/var/lib/docker/aufs/mnt/545d04c068f0f7ce19361a94d1c43b0c6686a0dfdd45e1803ccee569acc1767b/usr/share/locale'. > Link count does not match number of files (54,70). > > I have a rule setup to ignore this, and it's actually being hit when I test > the above line via ./ossec-logtest -v (see image) > > When I check the alerts, I see this as a level 7 alert. > > The rules are defined on the server. Any idea on why an alert would be > generated despite the level 0 rule being hit? >
Did you restart the OSSEC processes on the server after adding your rule? > Decoder: >>> >>> <decoder name="ignore_docker_mismatch"> >>> >>> <prematch>Files hidden inside directory </prematch> >>> >>> <regex>(\p/var/lib/docker\.+)</regex> >>> >>> <order>extra_data</order> >>> >>> </decoder> > > > Rule: >> >> <rule id="700006" level="0"> >> >> <decoded_as>ignore_docker_mismatch</decoded_as> >> >> <description>Level 0 Alert -- Ignoring Docker Files >> Mismatch</description> >> >> </rule> >> >> > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.