Hi, I thought I reply back to my own question just incase anyone else might be in a position like me and needs to find an answer in the future... ;-)
I used this wiki to ignore certain rules from firing: http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules thx, SW Steve West wrote: > ossec version 1.2 > > Hi, > > I'm trying to figure out if I can exclude the following messages without > disabling the entire rule 1002 in ossec/rules/syslog_rules.xml: > > Received From: (Mail_Server77) xxx.xxx.xxx.xxx->/var/log/messages > Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > Jun 13 20:00:46 mail freshclam[30139]: connect_error: > getsockopt(SO_ERROR): fd=5 error=110: Connection timed out > > Jun 13 19:02:17 web85 freshclam[1768]: Ignoring mirror xxx.xxx.xxx.xxx > (due to previous errors) > > Jun 13 18:19:25 mail spf: {neutral|pass|fail} (xxx.xxx.xxx.xxx is > neither permitted nor denied by SPF record at somedomain.com) > > I'm wondering if there is a way I can setup an exclude clause and how I > can go about writing such a rule to prevent ossec from sending me an > email whenever any of the above lines are printed to /var/log/messages? > > thx, > > SW > > > > >
