Hi
There is support for JBoss logs?
No default rules exist to analyse JBoss logs,but we can do it by ourselves.
I think the file Log Analysis using OSSEC by Daniel B. Cid at
http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf
will help a lot in understanding the mechanism and processing
The current incarnation is to change rule 1002 to
rule id=1002 level=2
match$BAD_WORDS/match
!-- optionsalert_by_email/options --
descriptionUnknown problem somewhere in the system./description
/rule
to prevent the rule sending emails then add
rule id=100101 level=8
Hi Paco,
If you can forward some log samples to us, we can help you out with the rules.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Jan 15, 2008 8:38 PM, xu Feng [EMAIL PROTECTED] wrote:
Hi
There is support for JBoss logs?
No default rules exist to analyse JBoss logs,but we can
Hi Dave,
If you are trying to ignore these messages, you can set the level to 0
(no need to increase the
severity).
rule id=100101 level=0
if_sid1002/if_sid
matchupdate.bad.phishing.sites|getpeername failed/match
descriptionIgnored messages./description
/rule
Hope it helps.
--
Hi Tom,
Just complementing Steve's response, the granular e-mail alerting are
used to restrict
what is being sent. All the e-mails will still go to the main address
(specified in the global
section), but you can restrict what the other addresses will receive
(only for specified rules
or for
We have several ossec servers running. We are testing now, and last night I
checked and some of the daemons where off, and it was different for each
server. Just curious if there is somewhere that explains what each daemon
handles. I think I can guess what each one does, but just so I have a
That's what I did to begin with, but the alert_by_email option on the original
1002 means that the email gets sent even if the rule is ignored as you suggest.
So, my latest stab at getting rid of the false positives took the approach of
removing the alert_by_email option from rule 1002
I have local rules set up to ignore false positives on that same rule
(1002) that suppress the email. Here are a few examples you can go from.
rule id=14 level=3
if_sid1002/if_sid
hostnamehost1/hostname
program_nameslapd/program_name
descriptionIgnore slapd verbose logging
