Bruce, thank you very much for the information. Will test with new rule number.
четверг, 1 марта 2018 г., 14:37:04 UTC+1 пользователь Bruce Westbrook написал: > > Dmitriy, custom rules can only be numbered between 100,000 and 119,999. > Change the rule number you used (400,001) to between the allowed range. > > You can then use the *ossec-**logtest* binary to test your config before > deploying it. Other than the rule number your syntax appears to be fine. > > - Bruce > > > > On Thursday, March 1, 2018 at 5:11:20 AM UTC-5, Dmitriy Shvedchenko wrote: >> >> Hello there, >> >> could someone help me exclude this message from ossec: >> >> OSSEC HIDS Notification. >> 2018 Mar 01 11:02:10 >> >> Received From: mail->/var/log/messages >> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >> Portion of the log(s): >> >> Mar 1 11:02:10 mail systemd-logind: Failed to remove runtime directory >> /run/user/0: Device or resource busy >> >> >> >> --END OF NOTIFICATION >> >> >> >> i've created local rule for exlucde, but this rule doesn't work: >> >> <rule id="400001" level="0"> >> <options>no_email_alert</options> >> <!--<if_group>syscheck</if_group>--> >> <if_sid>1002</if_sid> >> <program_name>systemd-logind</program_name> >> <match>Failed to remove runtime directory /run/user/0: Device or >> resource busy</match> >> <description>ignore this message</description> >> </rule> >> >> >> Could pls someone tell me, that i am doing wrong? Thank you in advance! >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
