Hi,
The name of the agent isn't extracted into a field for that rule.
This is an example of an alert of disconnected agent:
** Alert 1515842367.7996: mail -
ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,
2018 Jan 13 12:19:27 fedora->ossec-monitord
Rule: 504 (level 3) -> 'Ossec agent disconnected.'
ossec: Agent disconnected: 'ubuntu-any'.
You may use *ossec-logtest* to test and debug your rules:
*# /var/ossec/bin/ossec-logtest*
ossec-testrule: Type one log per line.
*ossec: Agent disconnected: 'ubuntu-any'.*
**Phase 1: Completed pre-decoding.
full event: 'ossec: Agent disconnected: 'ubuntu-any'.'
timestamp: '(null)'
hostname: 'fedora'
program_name: '(null)'
log: 'ossec: Agent disconnected: 'ubuntu-any'.'
**Phase 2: Completed decoding.
decoder: 'ossec'
**Phase 3: Completed filtering (rules).
*Rule id: '504'*
*Level: '3'*
Description: 'Ossec agent disconnected.'
**Alert to be generated.
As you can see, the hostname (*fedora* in my case) matches the name of the
manager, not the name of the agent. The agent is noted as "name-IP" (or "
name-any" if the agent is not restricted to an IP address), but this data
does not appear in a separate field.
So the easiest way to get what you want is to match the entire input log
with the name of your agent (or agents) using the <match> option.
For example, if we want to silence this rule for the agents "ubuntu-any"
and "server-192.168.1.4" this rule works:
<*rule* id="100400" level="0">
<*if_sid*>504</*if_sid*>
<*match*>ubuntu-any|server-192.168.1.4</*match*>
<*description*>Ignore ossec disconnects from ubuntu or server.</
*description*>
</*rule*>
Of course, you don't have to put the complete agent info including the IP,
you may specify the name only.
This is the result:
*# /var/ossec/bin/ossec-logtest*
ossec-testrule: Type one log per line.
*ossec: Agent disconnected: 'ubuntu-any'.*
**Phase 1: Completed pre-decoding.
full event: 'ossec: Agent disconnected: 'ubuntu-any'.'
timestamp: '(null)'
hostname: 'fedora'
program_name: '(null)'
log: 'ossec: Agent disconnected: 'ubuntu-any'.'
**Phase 2: Completed decoding.
decoder: 'ossec'
**Phase 3: Completed filtering (rules).
*Rule id: '100400'*
*Level: '0'*
Description: 'Ignore ossec disconnects from ubuntu or server.'
Hope it help.
Best regards,
<https://wazuh.com/>
*Victor M Fernandez-Castro*
IT Engineer — *Wazuh, Inc.*
On Fri, Jan 12, 2018 at 5:03 AM, <ngru...@gmail.com> wrote:
> I've been trying to create a rule in my local_rules.xml file for a few
> hours now with no success, and I'm hoping someone can help. I'm sure I'm
> doing something really dumb and am just too tired to see it right now.
>
> I would like to create a rule that will basically override Rule 504 (ossec
> agent disconnected) for a few specific clients. I've added this rule to my
> local_rules.xml file:
>
> <group name="local_ignore_disconnects,ossec,">
>
> <rule id="100400" level="0">
> <if_sid>504</if_sid>
> <hostname>host1.company.net</hostname>
> <description>Ignore ossec disconnects from host1.</description>
> </rule>
>
>
> <rule id="100401" level="0">
> <if_sid>504</if_sid>
> <hostname>host2.company.net</hostname>
> <description>Ignore ossec disconnects from host2.</description>
> </rule>
>
> </group> <!-- OSSEC,LOCAL-IGNORE-DISCONNECTS -->
>
> Unfortunately, I am still getting email alerts whenever the ossec clients
> on host1 or host2 disconnect. To complicate matters, I can't figure out how
> to use ossec-logtest to try and test out these rules because the triggering
> condition is not part of any log (as far as I'm aware), so I don't know
> what type of example I could feed into the system.
>
> The only thing I can think of is that the ossec rules invoke a pre-decoder
> that does not provide a hostname for the client, or perhaps provides an
> inconsistent hostname. For example, the hostname that's decoded from syslog
> is (I think) the FQDN of the client. But perhaps the ossec decoder only
> knows the client by its agent name (which may not match the FQDN)?
>
> All of the documentation and examples I can find assume that I'm trying to
> override or augment rules for things like syslog, sshd, or apache; I
> haven't found anything that discusses how to augment an ossec core rule
> (ID's between 0 and 999) *unless *I want to completely silence the rule;
> but in this case, I'd just like to silence the rule for one or two clients.
>
> Any help would be greatly appreciated. Thanks!
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
