<rule id="10002" level="0">
<if_sid>1002</if_sid>
<match>process_message</match>
<description>Mail delivery messages ignored</description>
</rule>
On 10/9/06, Brian Avis <[EMAIL PROTECTED]> wrote:
Thanks. That all seems to make sense, except I must have screwed it up. :)
This is what I put into the rules/local_rules.xml file in this group....
<group name="local,syslog,">
#other example stuff added by ossec
<rule id="1002" level="0">
<if_sid>1002</if_sid>
<match>process_message</match>
<description>Mail delivery messages ignored</description>
</rule>
</group>
In ossec.conf it already includes that file in the rules section (I
think anyways).
<include>local_rules.xml</include>
And again... here is the bit in syslog I am trying to ignore.
OSSEC HIDS Notification.
2006 Oct 09 12:01:58
Received From: unknown->/var/log/syslog
Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
Portion of the log(s):
dspam[8355]: [ID 795625 mail.warning] process_message returned error -5.
delivering message.
--END OF NOTIFICATION
I just want it to ignore rule 1002 if it is a mail process_message
error, which is why I put in the bit with <match>process_message</match>
So any hints as to where I screwed up?
Do I have to match on this line? Rule: 1002 fired (level 7) -> "Unknown
problem somewhere in the system." Instead of the portion of the logs
that I want to match on?
And yes... I restarted ossec on that box after changing the rules files.
Scot Gardner wrote:
> I was looking for a way to do this as well with a another error, and found
> the answer on the wiki page.
>
> http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
>
> Scot
>
> On 10/9/06, Brian Avis < [EMAIL PROTECTED]> wrote:
>>
>> I know there is a way to ignore certain files. Is there a way to ignore
>> certain errors? For example I put ossec on our mail server which is
>> running dspam. In /var/log/syslog we get a lot of these type of errors
>>
>>
>> dspam[20881]: [ID 795625 mail.warning] process_message returned error
>> -5. delivering message.
>>
>>
>> that ossec is picking up on and sending to me via e-mail. After a
>> couple of hundred of those a day for a few days... the whole thing
>> starts to become pointless.
>>
>> The whole message looks like this.
>>
>> OSSEC HIDS Notification.
>> 2006 Oct 09 07:09:27
>>
>> Received From: unknown->/var/log/syslog
>> Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
>> Portion of the log(s):
>>
>> dspam[20881]: [ID 795625 mail.warning] process_message returned error
>> -5. delivering message.
>>
>>
>>
>> --END OF NOTIFICATION
>>
>>
>>
>> I suppose I could set it to either ignore syslog or to not fire off a
>> message unless the alert level is 8, but those seem a bit drastic. Is
>> there another way?
>>
>>
>>
>>
>> --
>> Brian Avis
>> SEARHC Medical Clinic
>> Juneau, AK 99801
>> (907) 463-4049
>> Have a nice diurnal anomaly!
>>
>
>
>
--
Brian Avis
SEARHC Medical Clinic
Juneau, AK 99801
(907) 463-4049
Have a nice diurnal anomaly!
