That works like a charm, thank you for your help!
Cheers,
gert
On Thursday, May 25, 2017 at 1:21:52 AM UTC+12, Jesus Linares wrote:
>
> I don't know what is happening. Both, *regex* and *match *look in the
> *full_log
> *field. So it should work with regex (escaping reserved characters) and
>
I don't know what is happening. Both, *regex* and *match *look in the *full_log
*field. So it should work with regex (escaping reserved characters) and
match. It looks like the full_log doesn't contain that information, only
the filename.
Anyway, if you are using Wazuh 2.0, the "title" and
I think I'm just really confused as to what "regex" and "match" are
actually matching against. Given the following log event:
2017 May 24 12:38:16 (ci-runner__development_12.34.56.78) any->rootcheck
File
Unfortunately, it's still not working, and I'm not sure what else I can
try... This is what I'm doing:
The log entries that I want to ignore all look like this (from
archives.log):
2017 May 24 12:38:16 (ci-runner__development_12.34.56.78) any->rootcheck
File
Aha, thanks for the insights, that makes sense. I've changed the \.* into
\S* and restarted everything. It seems to work! Thanks for your help!
Cheers,
Gert
On Tuesday, May 23, 2017 at 1:35:58 AM UTC+12, Jesus Linares wrote:
>
> You can't use ossec-logtest for rootcheck events. For example, if
You can't use ossec-logtest for rootcheck events. For example, if I get the
full_log of a real alert: "File
'/usr/local/nsis/nsis-3.0b2-src/Contrib/Language files/Valencian.nlf' is
owned by root and has written permissions to anyone." and I paste it in
logtest:
*Phase 1: Completed
On Thu, May 18, 2017 at 4:51 PM, Gert Verhoog wrote:
> Hi Jesus,
>
> I'm having the same problem, and the triggering of this rule causes so much
> noise that it's drowning out other alerts. I have added a rule like you
> suggested to my local rules:
>
>
> 510
>
Hi Jesus,
I'm having the same problem, and the triggering of this rule causes so much
noise that it's drowning out other alerts. I have added a rule like you
suggested to my local rules:
510
/var/lib/docker/volumes/\.*/_data/\.* is owned by root and has
written permissions to
Hi Rob,
you need to add the conditions to trigger that rule only for your specific
files. Use match or regex:
510
Ignore rule 510 for 600 seconds for some files.
I think you can't use *same_id *because the decoders are not extracting any
ID.
Regards.
On Monday, April 17,
Hi Jesus, the first rule is what I am trying. You said I can match the file
in but can I do that when the file changes as is not one file I
want to ignore. Can I use regex syntax in rules? I used it in decoders as I
thought I wasn't able to. Thanks!
510
Ignore rule 510 for 600
What rule did you use?. Please, share here the rule and the alerts that you
want to ignore.
I'd need the ID from the decoder to do so
There are no xml decoders for rootcheck. What you want to extract in the id
field is the file, right?. You can do a *match* in the rule for the file.
Regards.
Hi Jesus,
Thanks for the reply. I have noticed when I activate this rule, it blocks
all events and does not alert on the first event. Also note, I am trying to
use the ID field from my decoder to match against. I can't just use a
static match as the ID continuously changes so I'd need the ID
Hi Rob,
it is not possible to create decoders for rootcheck because they are at C
level: https://github.com/wazuh/wazuh/blob/master/src/analysisd/analysisd.c#L772
Also, you don't need them, just create a rule like:
510
your conditions (match the file?)
Ignore rule 510 during 300
On Thu, Apr 6, 2017 at 1:28 PM, Rob Williams wrote:
> Hi,
>
> I tried to do this, but I'm getting:
>
> ERROR: Parent decoder name invalid: 'rootcheck'
> ERROR: Error adding decoder plugin
>
> I don't see the rootcheck decoder within decoder.xml as well, any ideas?
>
It
Hi,
I tried to do this, but I'm getting:
ERROR: Parent decoder name invalid: 'rootcheck'
ERROR: Error adding decoder plugin
I don't see the rootcheck decoder within decoder.xml as well, any ideas?
Thanks again for the help!
On Wednesday, April 5, 2017 at 12:26:31 PM UTC-7, Rob Williams wrote:
15 matches
Mail list logo