Hi Kivanio, The best way is to create a local rule to ignore most of these Amavis logs.
This rule should ignore all Amavis logs (just add that to /var/ossec/rules/local_rules.xml): <group name="local"> <rule id="100101" level="0"> <program_name>^amavis</program_name> <description>Amavis Events ignored</description> </rule> </group> After that you can go filtering out what is interesting to get alerts. If you can send more samples to us, it would be great too. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Dec 14, 2007 7:42 AM, Kivanio Barbosa <[EMAIL PROTECTED]> wrote: > Hi!, > > i'm starting with ossec on freebsd 6.2 machine. > > but when ossec start, it sent mail every minute about log in maillog, > because MAIA+AMAVIS make a very extensive log, > and then match with rule 1002 and 1003. > in the rule 1003 i fix with big maxsize, but i don't think this a good > ideia. > > <rule id="1002" level="2"> > <match>$BAD_WORDS</match> > <options>alert_by_email</options> > <description>Unknown problem somewhere in the system.</description> > </rule> > > <rule id="1003" level="13" maxsize="20856"> > <description>Non standard syslog message (size too large).</description> > </rule> > > > how to make to fix this problem? > create a new rule? > exist one rule about it? > anybody has this rule or problem? > > Received From: capitao->/var/log/maillog > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > Dec 14 08:16:28 capitao amavis[80589]: (80589-10) Maia: [read_system_config] > Bad header checking is ENABLED > > Received From: capitao->/var/log/maillog > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > Dec 14 08:16:04 capitao amavis[80635]: (80635-10) extra modules loaded: > /usr/local/etc/mail/spamassassin/FuzzyOcr.pm, > /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/Util/autosplit.ix, > /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/Util/inet_any2n.al, > /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/Util/inet_n2dx.al, > /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/Util/ipv6_aton.al, > /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/Util/ipv6_n2d.al, > /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/autosplit.ix, > Crypt/Blowfish.pm, Crypt/CBC.pm, Error.pm, Mail/SPF.pm, Mail/SPF/Base.pm, > Mail/SPF/Exception.pm, Mail/SPF/MacroString.pm, Mail/SPF/Mech.pm, > Mail/SPF/Mech/A.pm, Mail/SPF/Mech/All.pm, Mail/SPF/Mech/Exists.pm, > Mail/SPF/Mech/IP4.pm, Mail/SPF/Mech/IP6.pm, Mail/SPF/Mech/Include.pm, > Mail/SPF/Mech/MX.pm, Mail/SPF/Mech/PTR.pm, Mail/SPF/Mod.pm, > Mail/SPF/Mod/Exp.pm, Mail/SPF/Mod/Redirect.pm, Mail/SPF/Record.pm, > Mail/SPF/Re > quest.pm, Mail/SPF/Result.... > > > complete log: > > mavis[80841]: (80841-08) extra modules loaded: > /usr/local/etc/mail/spamassassin/FuzzyOcr.pm, > /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/Util/autosplit.ix, > /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/Util/inet_any2n.al, > /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/Util/ipv6_aton.al, > /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/autosplit.ix, > Error.pm, Mail/SPF.pm, Mail/SPF/Base.pm, Mail/SPF/Exception.pm, > Mail/SPF/MacroString.pm, Mail/SPF/Record.pm, Mail/SPF/Request.pm, > Mail/SPF/Result.pm, Mail/SPF/Server.pm, Mail/SPF/Util.pm, > Mail/SpamAssassin/Locales.pm, Mail/SpamAssassin/Plugin/Bayes.pm, > Mail/SpamAssassin/Plugin/BodyEval.pm, Mail/SpamAssassin/Plugin/Check.pm, > Mail/SpamAssassin/Plugin/DNSEval.pm, Mail/SpamAssassin/Plugin/HTMLEval.pm, > Mail/SpamAssassin/Plugin/HTTPSMismatch.pm, > Mail/SpamAssassin/Plugin/HeaderEval.pm, > Mail/SpamAssassin/Plugin/ImageInfo.pm, Mail/SpamAssassin/Plugin/MIMEEval.pm, > Mail/SpamAssassin/Plugin/RelayEva... > > Dec 14 08:16:20 amavis[80841]: (80841-08) ...l.pm, > Mail/SpamAssassin/Plugin/URIDetail.pm, Mail/SpamAssassin/Plugin/URIEval.pm, > Mail/SpamAssassin/Plugin/VBounce.pm, Mail/SpamAssassin/Plugin/WLBLEval.pm, > NetAddr/IP.pm, NetAddr/IP/Lite.pm, NetAddr/IP/Util.pm, > NetAddr/IP/Util_IS.pm, String/Approx.pm, unicore/lib/gc_sc/Word.pl, > version.pm, version/vxs.pm > > and more other small logs for amavis. > > Thanks, sorry for bad english, i'm learning :D > > -- > Kivanio Pereira Barbosa > Cel 8121-4248 > > www.eiqconsultoria.com.br