Thanks. That all seems to make sense, except I must have screwed it up. :)
This is what I put into the rules/local_rules.xml file in this group.... <group name="local,syslog,"> #other example stuff added by ossec <rule id="1002" level="0"> <if_sid>1002</if_sid> <match>process_message</match> <description>Mail delivery messages ignored</description> </rule> </group> In ossec.conf it already includes that file in the rules section (I think anyways). <include>local_rules.xml</include> And again... here is the bit in syslog I am trying to ignore. OSSEC HIDS Notification. 2006 Oct 09 12:01:58 Received From: unknown->/var/log/syslog Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system." Portion of the log(s): dspam[8355]: [ID 795625 mail.warning] process_message returned error -5. delivering message. --END OF NOTIFICATION I just want it to ignore rule 1002 if it is a mail process_message error, which is why I put in the bit with <match>process_message</match> So any hints as to where I screwed up? Do I have to match on this line? Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system." Instead of the portion of the logs that I want to match on? And yes... I restarted ossec on that box after changing the rules files. Scot Gardner wrote: > I was looking for a way to do this as well with a another error, and found > the answer on the wiki page. > > http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules > > Scot > > On 10/9/06, Brian Avis <[EMAIL PROTECTED]> wrote: >> >> I know there is a way to ignore certain files. Is there a way to ignore >> certain errors? For example I put ossec on our mail server which is >> running dspam. In /var/log/syslog we get a lot of these type of errors >> >> >> dspam[20881]: [ID 795625 mail.warning] process_message returned error >> -5. delivering message. >> >> >> that ossec is picking up on and sending to me via e-mail. After a >> couple of hundred of those a day for a few days... the whole thing >> starts to become pointless. >> >> The whole message looks like this. >> >> OSSEC HIDS Notification. >> 2006 Oct 09 07:09:27 >> >> Received From: unknown->/var/log/syslog >> Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system." >> Portion of the log(s): >> >> dspam[20881]: [ID 795625 mail.warning] process_message returned error >> -5. delivering message. >> >> >> >> --END OF NOTIFICATION >> >> >> >> I suppose I could set it to either ignore syslog or to not fire off a >> message unless the alert level is 8, but those seem a bit drastic. Is >> there another way? >> >> >> >> >> -- >> Brian Avis >> SEARHC Medical Clinic >> Juneau, AK 99801 >> (907) 463-4049 >> Have a nice diurnal anomaly! >> > > > -- Brian Avis SEARHC Medical Clinic Juneau, AK 99801 (907) 463-4049 Have a nice diurnal anomaly!
