hi *, i run ossec agent on several web servers where i monitor the system files and the webserver log files. now i ran into a problem with the rule
Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system." this rules (is my understanding) is just a pattern matching of bad words or? and here starts my problem ;) there might be session id in the webserver logfiles wich includes the three letters bad ... there might be a valid html slide with the name terrorist there might be a valid html slide with the name errorxyz ... all this stuf fires up the rules 1002 :) therefor i donĀ“t want to apply the rules to the webserver log files but of curse to the system log files on this host ... i don't have the slightest idea of howto manage this with rules section :) ideas very welcome! cheers philipp
