http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
Scot
On 10/9/06, Brian Avis <[EMAIL PROTECTED]> wrote:
I know there is a way to ignore certain files. Is there a way to ignore
certain errors? For example I put ossec on our mail server which is
running dspam. In /var/log/syslog we get a lot of these type of errors
dspam[20881]: [ID 795625 mail.warning] process_message returned error
-5. delivering message.
that ossec is picking up on and sending to me via e-mail. After a
couple of hundred of those a day for a few days... the whole thing
starts to become pointless.
The whole message looks like this.
OSSEC HIDS Notification.
2006 Oct 09 07:09:27
Received From: unknown->/var/log/syslog
Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
Portion of the log(s):
dspam[20881]: [ID 795625 mail.warning] process_message returned error
-5. delivering message.
--END OF NOTIFICATION
I suppose I could set it to either ignore syslog or to not fire off a
message unless the alert level is 8, but those seem a bit drastic. Is
there another way?
--
Brian Avis
SEARHC Medical Clinic
Juneau, AK 99801
(907) 463-4049
Have a nice diurnal anomaly!
--
________________________________________________
Scot Gardner
System Administrator
Antietam Cable
[EMAIL PROTECTED]
(301) 797.5000 x4054
