Hi, The name of the agent isn't extracted into a field for that rule.
This is an example of an alert of disconnected agent: ** Alert 1515842367.7996: mail - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1, 2018 Jan 13 12:19:27 fedora->ossec-monitord Rule: 504 (level 3) -> 'Ossec agent disconnected.' ossec: Agent disconnected: 'ubuntu-any'. You may use *ossec-logtest* to test and debug your rules: *# /var/ossec/bin/ossec-logtest* ossec-testrule: Type one log per line. *ossec: Agent disconnected: 'ubuntu-any'.* **Phase 1: Completed pre-decoding. full event: 'ossec: Agent disconnected: 'ubuntu-any'.' timestamp: '(null)' hostname: 'fedora' program_name: '(null)' log: 'ossec: Agent disconnected: 'ubuntu-any'.' **Phase 2: Completed decoding. decoder: 'ossec' **Phase 3: Completed filtering (rules). *Rule id: '504'* *Level: '3'* Description: 'Ossec agent disconnected.' **Alert to be generated. As you can see, the hostname (*fedora* in my case) matches the name of the manager, not the name of the agent. The agent is noted as "name-IP" (or " name-any" if the agent is not restricted to an IP address), but this data does not appear in a separate field. So the easiest way to get what you want is to match the entire input log with the name of your agent (or agents) using the <match> option. For example, if we want to silence this rule for the agents "ubuntu-any" and "server-192.168.1.4" this rule works: <*rule* id="100400" level="0"> <*if_sid*>504</*if_sid*> <*match*>ubuntu-any|server-192.168.1.4</*match*> <*description*>Ignore ossec disconnects from ubuntu or server.</ *description*> </*rule*> Of course, you don't have to put the complete agent info including the IP, you may specify the name only. This is the result: *# /var/ossec/bin/ossec-logtest* ossec-testrule: Type one log per line. *ossec: Agent disconnected: 'ubuntu-any'.* **Phase 1: Completed pre-decoding. full event: 'ossec: Agent disconnected: 'ubuntu-any'.' timestamp: '(null)' hostname: 'fedora' program_name: '(null)' log: 'ossec: Agent disconnected: 'ubuntu-any'.' **Phase 2: Completed decoding. decoder: 'ossec' **Phase 3: Completed filtering (rules). *Rule id: '100400'* *Level: '0'* Description: 'Ignore ossec disconnects from ubuntu or server.' Hope it help. Best regards, <https://wazuh.com/> *Victor M Fernandez-Castro* IT Engineer — *Wazuh, Inc.* On Fri, Jan 12, 2018 at 5:03 AM, <ngru...@gmail.com> wrote: > I've been trying to create a rule in my local_rules.xml file for a few > hours now with no success, and I'm hoping someone can help. I'm sure I'm > doing something really dumb and am just too tired to see it right now. > > I would like to create a rule that will basically override Rule 504 (ossec > agent disconnected) for a few specific clients. I've added this rule to my > local_rules.xml file: > > <group name="local_ignore_disconnects,ossec,"> > > <rule id="100400" level="0"> > <if_sid>504</if_sid> > <hostname>host1.company.net</hostname> > <description>Ignore ossec disconnects from host1.</description> > </rule> > > > <rule id="100401" level="0"> > <if_sid>504</if_sid> > <hostname>host2.company.net</hostname> > <description>Ignore ossec disconnects from host2.</description> > </rule> > > </group> <!-- OSSEC,LOCAL-IGNORE-DISCONNECTS --> > > Unfortunately, I am still getting email alerts whenever the ossec clients > on host1 or host2 disconnect. To complicate matters, I can't figure out how > to use ossec-logtest to try and test out these rules because the triggering > condition is not part of any log (as far as I'm aware), so I don't know > what type of example I could feed into the system. > > The only thing I can think of is that the ossec rules invoke a pre-decoder > that does not provide a hostname for the client, or perhaps provides an > inconsistent hostname. For example, the hostname that's decoded from syslog > is (I think) the FQDN of the client. But perhaps the ossec decoder only > knows the client by its agent name (which may not match the FQDN)? > > All of the documentation and examples I can find assume that I'm trying to > override or augment rules for things like syslog, sshd, or apache; I > haven't found anything that discusses how to augment an ossec core rule > (ID's between 0 and 999) *unless *I want to completely silence the rule; > but in this case, I'd just like to silence the rule for one or two clients. > > Any help would be greatly appreciated. Thanks! > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.