Also, to clarify auto_ignore is set to 'no' - no
On Wednesday, January 18, 2017 at 3:27:57 PM UTC-5, Nikki S wrote:
>
> Hi,
>
> I have a couple of questions regarding FIM/System Integrity check. I'm
> hoping this would help others as well starting off with OSSEC.
>
>- When a new agent is
Hi,
I have a couple of questions regarding FIM/System Integrity check. I'm
hoping this would help others as well starting off with OSSEC.
- When a new agent is installed does it run the system integrity check
automatically? or does the option needs to be enabled?
- I have kept the
Hi Daniel,
you are right, I forgot to add a regex to the rule. It could be something
like:
5104
device veth\S+ entered promiscuous mode
Ignore rule 5104 for weave.
Adapt the regex to the logs generated by weave. Also, you can use **.
Let me know if it works ;).
Jesus, thanks for the response. I'm aware of ossec-logtest always showing
the name of the parent (which confused me until I RTFM). Using
`ossec-logtest -v` I was able to verify that the decoder was not being hit
as the rule for that was not being caught.
I did consider inserting an entry into
Hi Daniel,
ossec-logtest always shows the name of the parent.
If you want to ignore that alert, just create a rule in local_rules.xml:
5104
Ignore rule 5104.
Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba
entered promiscuous mode
**Phase 1:
