Hi Chris,
The location where the alert came from can be searched using the
"hostname" tag.
For example:
<rule id="110007" level="0">
<if_sid>1003, 31101, 1002</if_sid>
<hostname>error_log</hostname>
<description>Web log ignore.</description>
</rule>
Basically, when you look at an alert it has:
"Received From: (xx) 192.168.2.0->/var/log/messages"
Everything after the "from: " is what the hostname matches...
**ok, before someone complains, I know hostname is not the best name for this
option, but this is what we have now. Patches are welcome :)
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/14/07, Chris Russell <[EMAIL PROTECTED]> wrote:
>
>
>
>
> Forgive me if this has already been discussed, but I searched the archives
> and I couldn't find anything on this topic.
>
>
>
> I would like to ignore logs on my clients, but because I have a large number
> of clients, I would like to set the server to ignore the logs rather than
> edit the ossec.conf file on every client. Is this possible?
>
>
>
> As an example, I would like to ignore the /etc/httpd/logs/error_log file on
> my clients. So I tried putting this rule in to the local_rules.xml file on
> my server:
>
>
>
> <rule id="110007" level="0">
>
> <if_sid>1003, 31101, 1002</if_sid>
>
> <match>/etc/httpd/logs/error_log</match>
>
> <description>Web log ignore.</description>
>
> </rule>
>
>
>
> But, it didn't work. I assume the name of the log can't be matched by the
> <match> directive? Is there any other directive that I could try?
>
>
>
> Thanks.
