Forgive me if this has already been discussed, but I searched the
archives and I couldn't find anything on this topic.
I would like to ignore logs on my clients, but because I have a large
number of clients, I would like to set the server to ignore the logs
rather than edit the ossec.conf file on every client. Is this possible?
As an example, I would like to ignore the /etc/httpd/logs/error_log file
on my clients. So I tried putting this rule in to the local_rules.xml
file on my server:
<rule id="110007" level="0">
<if_sid>1003, 31101, 1002</if_sid>
<match>/etc/httpd/logs/error_log</match>
<description>Web log ignore.</description>
</rule>
But, it didn't work. I assume the name of the log can't be matched by
the <match> directive? Is there any other directive that I could try?
Thanks.
