On Monday 09 October 2006 17:30, Brian Avis wrote:
Brian,
The "rule id" needs to start with 100000 and on up to 109999 (User Rule's
Reserve Area) ..
That part of the wiki is not clear I must confess ..
if_sid is ok though that matches the actual "referring" rule
Like So ..
<rule id="100001" level="0">
<if_sid>1002</if_sid>
<match>process_message</match>
<description>Mail delivery messages ignored</description>
</rule>
> Thanks. That all seems to make sense, except I must have screwed it up.
> :)
>
> This is what I put into the rules/local_rules.xml file in this group....
>
> <group name="local,syslog,">
>
>
> #other example stuff added by ossec
>
>
> <rule id="1002" level="0">
> <if_sid>1002</if_sid>
> <match>process_message</match>
> <description>Mail delivery messages ignored</description>
> </rule>
>
> </group>
>
> In ossec.conf it already includes that file in the rules section (I
> think anyways).
>
> <include>local_rules.xml</include>
>
> And again... here is the bit in syslog I am trying to ignore.
>
> OSSEC HIDS Notification.
> 2006 Oct 09 12:01:58
>
> Received From: unknown->/var/log/syslog
> Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> dspam[8355]: [ID 795625 mail.warning] process_message returned error -5.
> delivering message.
>
> --END OF NOTIFICATION
>
>
> I just want it to ignore rule 1002 if it is a mail process_message
> error, which is why I put in the bit with <match>process_message</match>
>
> So any hints as to where I screwed up?
>
> Do I have to match on this line? Rule: 1002 fired (level 7) -> "Unknown
> problem somewhere in the system." Instead of the portion of the logs
> that I want to match on?
>
> And yes... I restarted ossec on that box after changing the rules files.
>
> Scot Gardner wrote:
> > I was looking for a way to do this as well with a another error, and
> > found the answer on the wiki page.
> >
> > http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
> >
> > Scot
> >
> > On 10/9/06, Brian Avis <[EMAIL PROTECTED]> wrote:
> >> I know there is a way to ignore certain files. Is there a way to ignore
> >> certain errors? For example I put ossec on our mail server which is
> >> running dspam. In /var/log/syslog we get a lot of these type of errors
> >>
> >>
> >> dspam[20881]: [ID 795625 mail.warning] process_message returned error
> >> -5. delivering message.
> >>
> >>
> >> that ossec is picking up on and sending to me via e-mail. After a
> >> couple of hundred of those a day for a few days... the whole thing
> >> starts to become pointless.
> >>
> >> The whole message looks like this.
> >>
> >> OSSEC HIDS Notification.
> >> 2006 Oct 09 07:09:27
> >>
> >> Received From: unknown->/var/log/syslog
> >> Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
> >> Portion of the log(s):
> >>
> >> dspam[20881]: [ID 795625 mail.warning] process_message returned error
> >> -5. delivering message.
> >>
> >>
> >>
> >> --END OF NOTIFICATION
> >>
> >>
> >>
> >> I suppose I could set it to either ignore syslog or to not fire off a
> >> message unless the alert level is 8, but those seem a bit drastic. Is
> >> there another way?
> >>
> >>
> >>
> >>
> >> --
> >> Brian Avis
> >> SEARHC Medical Clinic
> >> Juneau, AK 99801
> >> (907) 463-4049
> >> Have a nice diurnal anomaly!
--
Kindest Regards,
Francesca Smith
"No Problems Only Solutions"
Lady Linux Internet Services
Baltimore, Maryland 21217
