Hopefully there is an easy answer to my problem. I am using OSSEC to
monitor Cisco logs coming in via syslog.
First problem:
The decoder is not working and I believe it because the following
command was not executed on the routers.
* To avoid having an invalid syslog header with extra timestamps
and sequence numbers, disable it:
no service sequence-numbers
no service timestamps debug uptime
no service timestamps log uptime
By policy I cannot execute these commands on the routers. I believe
that this may be fubar'ing the decoder. Does this make sense?
The second problem is related to the first. Because I have all of
these invalid syslog headers, I was getting hit hard with alerts from
default rule #1002. Instead of changing the default rule so that it
wouldn't match, I added the following to local rules to just ignore
the rule causing the problem.
<rule id="100101" level="0">
<if_sid>1002</if_sid>
<options>no_log</options>
<description>Ignore Noisy Rules</description>
</rule>
Well the emails stopped and the alerts stopped but the GUI now shows a
large number of level 0 alerts (that should be ignored) and a large
number of rule 100101 events.
Total for level 7 1 0.0%
Total for level 3 2 0.0%
Total for level 0 11,837 100.0%
Total for all levels 11,840 100%
Aggregate values by rule Option Value Percentage
Total for Rule 550 1 0.0%
Total for Rule 502 2 0.0%
Total for Rule 100101 11,837 100.0%
Total for all rules 11,840 100%
Is there a way to set a rule to completely ignore a default rule other
than changing the default rules that come with OSSEC?
Any help would be greatly appreciated.
