ossec version 1.2
Hi,
I'm trying to figure out if I can exclude the following messages without
disabling the entire rule 1002 in ossec/rules/syslog_rules.xml:
Received From: (Mail_Server77) xxx.xxx.xxx.xxx->/var/log/messages
Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Jun 13 20:00:46 mail freshclam[30139]: connect_error: getsockopt(SO_ERROR):
fd=5 error=110: Connection timed out
Jun 13 19:02:17 web85 freshclam[1768]: Ignoring mirror xxx.xxx.xxx.xxx (due to
previous errors)
Jun 13 18:19:25 mail spf: {neutral|pass|fail} (xxx.xxx.xxx.xxx is neither
permitted nor denied by SPF record at somedomain.com)
I'm wondering if there is a way I can setup an exclude clause and how I can go
about writing such a rule to prevent ossec from sending me an email whenever
any of the above lines are printed to /var/log/messages?
thx,
SW
