Hi Daniel,
you are right, I forgot to add a regex to the rule. It could be something
like:
5104
device veth\S+ entered promiscuous mode
Ignore rule 5104 for weave.
Adapt the regex to the logs generated by weave. Also, you can use **.
Let me know if it works ;).
Jesus, thanks for the response. I'm aware of ossec-logtest always showing
the name of the parent (which confused me until I RTFM). Using
`ossec-logtest -v` I was able to verify that the decoder was not being hit
as the rule for that was not being caught.
I did consider inserting an entry into
Hi Daniel,
ossec-logtest always shows the name of the parent.
If you want to ignore that alert, just create a rule in local_rules.xml:
5104
Ignore rule 5104.
Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba
entered promiscuous mode
**Phase 1:
