Hi Daniel, review *archives.log* to be sure the log is how you expected. Also, check out *alerts.log* to see the alert. Remember that *ossec-logtest* shows alerts with level 0, but OSSEC does not or at least it should not.
Regards. On Friday, January 27, 2017 at 8:00:19 AM UTC-8, Daniel B. wrote: > > Yes, via ./ossec-control -r > > On Thursday, January 26, 2017 at 4:41:20 PM UTC-5, Daniel B. wrote: >> >> >> <https://lh3.googleusercontent.com/-PjI5QG1OEt4/WIpsiYbmInI/AAAAAAAAAP8/XaaQ35illHgeh_zq_oAtMKNU6giFsek7QCLcB/s1600/2017-01-26_1638.png> >> >> >> >> full_log: >> Files hidden inside directory >> '/var/lib/docker/aufs/mnt/545d04c068f0f7ce19361a94d1c43b0c6686a0dfdd45e1803ccee569acc1767b/usr/share/locale'. >> >> Link count does not match number of files (54,70). >> >> I have a rule setup to ignore this, and it's actually being hit when I >> test the above line via ./ossec-logtest -v (see image) >> >> When I check the alerts, I see this as a level 7 alert. >> >> The rules are defined on the server. Any idea on why an alert would be >> generated despite the level 0 rule being hit? >> >> Decoder: >> >>> <decoder name="ignore_docker_mismatch"> >>> >>> <prematch>Files hidden inside directory </prematch> >>> >>> <regex>(\p/var/lib/docker\.+)</regex> >>> >>> <order>extra_data</order> >>> >>> </decoder> >>> >>> >> Rule: >> >>> <rule id="700006" level="0"> >> >> <decoded_as>ignore_docker_mismatch</decoded_as> >> >> <description>Level 0 Alert -- Ignoring Docker Files >>> Mismatch</description> >> >> </rule> >> >> >> >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
