[ossec-list] Re: Exclude rule
Unfortunately the rule still doesn't work. Also changed to: no_email_alert syscheck systemd-logind Failed to remove runtime directory /run/user/0: Device or resource busy ignore this message and still getting the mails четверг, 1 марта 2018 г., 11:11:20 UTC+1 пользователь Dmitriy Shvedchenko написал: > > Hello there, > > could someone help me exclude this message from ossec: > > OSSEC HIDS Notification. > 2018 Mar 01 11:02:10 > > Received From: mail->/var/log/messages > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > Mar 1 11:02:10 mail systemd-logind: Failed to remove runtime directory > /run/user/0: Device or resource busy > > > > --END OF NOTIFICATION > > > > i've created local rule for exlucde, but this rule doesn't work: > > > no_email_alert > > 1002 > systemd-logind > Failed to remove runtime directory /run/user/0: Device or > resource busy > ignore this message > > > > Could pls someone tell me, that i am doing wrong? Thank you in advance! > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Exclude rule
Bruce, thank you very much for the information. Will test with new rule number. четверг, 1 марта 2018 г., 14:37:04 UTC+1 пользователь Bruce Westbrook написал: > > Dmitriy, custom rules can only be numbered between 100,000 and 119,999. > Change the rule number you used (400,001) to between the allowed range. > > You can then use the *ossec-**logtest* binary to test your config before > deploying it. Other than the rule number your syntax appears to be fine. > > - Bruce > > > > On Thursday, March 1, 2018 at 5:11:20 AM UTC-5, Dmitriy Shvedchenko wrote: >> >> Hello there, >> >> could someone help me exclude this message from ossec: >> >> OSSEC HIDS Notification. >> 2018 Mar 01 11:02:10 >> >> Received From: mail->/var/log/messages >> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >> Portion of the log(s): >> >> Mar 1 11:02:10 mail systemd-logind: Failed to remove runtime directory >> /run/user/0: Device or resource busy >> >> >> >> --END OF NOTIFICATION >> >> >> >> i've created local rule for exlucde, but this rule doesn't work: >> >> >> no_email_alert >> >> 1002 >> systemd-logind >> Failed to remove runtime directory /run/user/0: Device or >> resource busy >> ignore this message >> >> >> >> Could pls someone tell me, that i am doing wrong? Thank you in advance! >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Exclude rule
Dmitriy, custom rules can only be numbered between 100,000 and 119,999. Change the rule number you used (400,001) to between the allowed range. You can then use the *ossec-**logtest* binary to test your config before deploying it. Other than the rule number your syntax appears to be fine. - Bruce On Thursday, March 1, 2018 at 5:11:20 AM UTC-5, Dmitriy Shvedchenko wrote: > > Hello there, > > could someone help me exclude this message from ossec: > > OSSEC HIDS Notification. > 2018 Mar 01 11:02:10 > > Received From: mail->/var/log/messages > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > Mar 1 11:02:10 mail systemd-logind: Failed to remove runtime directory > /run/user/0: Device or resource busy > > > > --END OF NOTIFICATION > > > > i've created local rule for exlucde, but this rule doesn't work: > > > no_email_alert > > 1002 > systemd-logind > Failed to remove runtime directory /run/user/0: Device or > resource busy > ignore this message > > > > Could pls someone tell me, that i am doing wrong? Thank you in advance! > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
