Hi Daniel,
Thanks for all the help and all of your great work! I didn't see your
response so I posted to the mailing list the link to the wiki Ignore
Rules page in case anyone else might find it helpful as I did.
Your suggestion is much more elegant and simpler than what I came up
with: ;-)
<rule id="100002" level="0">
<if_sid>1002</if_sid>
<match>connect_error: getsockopt(SO_ERROR): fd=5 error=110:
Connection timed out</match>
<description>Freshclamav failed connection events ignored</description>
</rule>
<rule id="100003" level="0">
<if_sid>1002</if_sid>
<match>Ignoring mirror</match>
<description>Freshclamav failed connection events ignored</description>
</rule>
<rule id="100004" level="0">
<if_sid>1002</if_sid>
<match>SPF</match>
<description>spf log entries ignored</description>
</rule>
<rule id="100005" level="0">
<if_sid>1002</if_sid>
<match>error in processing during lookup of</match>
<description>spf log entries ignored</description>
</rule>
<rule id="100006" level="0">
<if_sid>1002</if_sid>
<match>sslserver: warning: dropping connection, unable to accept
SSL</match>
<description>SMTP SSL Connection Error log entries
ignored</description>
</rule>
thx,
SW
Daniel Cid wrote:
> Hi Steve,
>
> This is easy to do with ossec. Just create a local rule to exclude
> these messages
> (include the following at /var/ossec/rules/local_rules.xml ):
>
> <group name="local">
> <rule id="100101" level="0">
> <if_sid>1002</if_sid>
> <match>connect_error: getsockopt|Ignoring mirror|is neither
> permitted nor</match>
> <description>Events ignored.</description>
> </rule>
> </group>
>
> What it means? Every time the rule 1002 is matched, the above will be
> checked and
> if matched, ignore (see level = 0).
>
> For more info: http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
>
> Hope it helps.
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
>
> On 6/13/07, Steve West <[EMAIL PROTECTED]> wrote:
>>
>> ossec version 1.2
>>
>> Hi,
>>
>> I'm trying to figure out if I can exclude the following messages without
>> disabling the entire rule 1002 in ossec/rules/syslog_rules.xml:
>>
>> Received From: (Mail_Server77) xxx.xxx.xxx.xxx->/var/log/messages
>> Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
>> Portion of the log(s):
>>
>> Jun 13 20:00:46 mail freshclam[30139]: connect_error:
>> getsockopt(SO_ERROR): fd=5 error=110: Connection timed out
>>
>> Jun 13 19:02:17 web85 freshclam[1768]: Ignoring mirror xxx.xxx.xxx.xxx
>> (due to previous errors)
>>
>> Jun 13 18:19:25 mail spf: {neutral|pass|fail} (xxx.xxx.xxx.xxx is
>> neither permitted nor denied by SPF record at somedomain.com)
>>
>> I'm wondering if there is a way I can setup an exclude clause and how
>> I can go about writing such a rule to prevent ossec from sending me an
>> email whenever any of the above lines are printed to /var/log/messages?
>>
>> thx,
>>
>> SW
>>
>>
>>
>>
>>
>
