Hi Steve, This is easy to do with ossec. Just create a local rule to exclude these messages (include the following at /var/ossec/rules/local_rules.xml ):
<group name="local"> <rule id="100101" level="0"> <if_sid>1002</if_sid> <match>connect_error: getsockopt|Ignoring mirror|is neither permitted nor</match> <description>Events ignored.</description> </rule> </group> What it means? Every time the rule 1002 is matched, the above will be checked and if matched, ignore (see level = 0). For more info: http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 6/13/07, Steve West <[EMAIL PROTECTED]> wrote: > > ossec version 1.2 > > Hi, > > I'm trying to figure out if I can exclude the following messages without > disabling the entire rule 1002 in ossec/rules/syslog_rules.xml: > > Received From: (Mail_Server77) xxx.xxx.xxx.xxx->/var/log/messages > Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > Jun 13 20:00:46 mail freshclam[30139]: connect_error: getsockopt(SO_ERROR): > fd=5 error=110: Connection timed out > > Jun 13 19:02:17 web85 freshclam[1768]: Ignoring mirror xxx.xxx.xxx.xxx (due > to previous errors) > > Jun 13 18:19:25 mail spf: {neutral|pass|fail} (xxx.xxx.xxx.xxx is neither > permitted nor denied by SPF record at somedomain.com) > > I'm wondering if there is a way I can setup an exclude clause and how I can > go about writing such a rule to prevent ossec from sending me an email > whenever any of the above lines are printed to /var/log/messages? > > thx, > > SW > > > > >
